Date: Tue, 10 Jun 2008 17:19:58 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: firewall high-load performance Message-ID: <484EA9AE.2010407@infracaninophile.co.uk> In-Reply-To: <20080610152240.GB66787@kokopelli.hydra> References: <20080610152240.GB66787@kokopelli.hydra>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig76D3F74FD8E44934FDAC281D
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: quoted-printable
Chad Perrin wrote:
> My preferred firewall these days, for general use, is pf. I seem to
> recall someone who has used it in high-load scenarios that it can kinda=
> choke at high loads, though I don't recall whether that was due to pf
> itself or the fact he was running it on OpenBSD. Until now, this has n=
ot
> been a concern for me.
>=20
> I may be getting involved in a commercial project in the near future th=
at
> could very well involve handling very large numbers of connections
> dealing with potentially high bandwidth demands, however. The
> circumstances would require some QOS, and I'm thinking of using pf/ALTQ=
> for this project, but I don't want to discover after we're well underwa=
y
> that large numbers of connections would cause problems. Should I
> consider ipfw or ipfilter instead, or are my concerns with relation to
> pf's ability to handle extremely high loads of legitimate traffic
> unfounded?
>=20
pf will perform very well. I don't know if anyone has benchmarked it
against ipfw, but I suspect that any difference in performance is pretty
minimal. If you're just doing packet filtering and using a fairly run of=
the mill modern machine, you should be able to keep up with Gb wire speed=
without problems.
If performance is a limiting factor, then review your rule sets carefully=
:
arranging things so that the most popular traffic types are handled as=20
early as possible, knowing when to use tables vs. use address-list macros=
=20
and judicious use of quick rules can make quite a difference.
Also, /stateful/ rules are generally faster than stateless once you've go=
t
beyond the initial packet that establishes the state. Looking stuff up
in the state table is quicker and takes place earlier in the processing=20
sequence than traversing the rulesets.
High load may or may not be a problem depending on your traffic patterns.=
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections. The default is 10,000 states. If your firewall=20
machine is dedicated to running pf and it has hundreds of MB if not GB o=
f=20
RAM, then upping the size of some of those parameters by an order of=20
magnitude is feasible, and works well.
On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.
Cheers,
Matthew
--=20
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
Kent, CT11 9PW
--------------enig76D3F74FD8E44934FDAC281D
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.9 (FreeBSD)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEAREIAAYFAkhOqbQACgkQ8Mjk52CukIzPCACePEfyjY41uvNPaPHzkVMFevjd
6dAAnjC9WD+jvwUS8zLMLtV7pbMZlZM1
=du7a
-----END PGP SIGNATURE-----
--------------enig76D3F74FD8E44934FDAC281D--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?484EA9AE.2010407>