firewall high-load performance

Wojciech Puchar wojtek at
Tue Jun 10 22:35:18 UTC 2008

> High load may or may not be a problem depending on your traffic patterns.
> I've seen pf firewalls suffer by running out of state-table space in
> situations where there are a lot of fairly short-lived but low volume
> network connections.  The default is 10,000 states.  If your firewall machine

is this state-table a hash table or something similar. if so - making it 
much bigger than CPU cache may actually slow down things because DRAM 
access latency is huge on modern machines.

> On the whole I'd go with pf every time simply based on how much more
> manageable it is compared to ipfw -- you have to try, hard, to lock
> yourself out when reloading a new pf ruleset.

i already learned well locking myself after making mistake in ipfw rules

now i run screen and do something like that

cd /etc
cp firewall firewall.old
cp firewall
cp firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old firewall;/etc/rc.d/ipfw restart

then i have 100 seconds to quickly test new rules, at least to make sure 
i'm not locked.

More information about the freebsd-questions mailing list