From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 6 09:44:11 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BF2E01065672 for ; Wed, 6 Aug 2008 09:44:11 +0000 (UTC) (envelope-from jdc@parodius.com) Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3]) by mx1.freebsd.org (Postfix) with ESMTP id ABFA88FC16 for ; Wed, 6 Aug 2008 09:44:11 +0000 (UTC) (envelope-from jdc@parodius.com) Received: by mx01.sc1.parodius.com (Postfix, from userid 1000) id 8323D1CC0B1; Wed, 6 Aug 2008 02:44:11 -0700 (PDT) Date: Wed, 6 Aug 2008 02:44:11 -0700 From: Jeremy Chadwick To: Jordi Espasa Clofent Message-ID: <20080806094411.GA51807@eos.sc1.parodius.com> References: <20080805080520.GB3063@rebelion.Sisis.de> <0FCFCF6165E968449991746EB91D614D142FD4@antipi.jnpr.net> <48995F1F.4010209@minibofh.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <48995F1F.4010209@minibofh.org> User-Agent: Mutt/1.5.18 (2008-05-17) Cc: freebsd-hackers@freebsd.org Subject: Re: Q: case studies about scalable, enterprise-class firewall w/ IPFilter X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 09:44:11 -0000 On Wed, Aug 06, 2008 at 10:21:51AM +0200, Jordi Espasa Clofent wrote: >> Well, there are always Juniper Networks boxes :-) > > I do the same (even more in some points) as Juniper boxes with simple > standard boxes with OpenBSD and PF. > > At present day my central FWs are simply standard 2 boxes (each one cost > 1000 euros aprox); I remember the Juniper guy offering me a 'cheap' > 7000/12000 euros solution...... :P I'm amazed at the fact that people are actually comparing FreeBSD with pf to Juniper routers. I've a bit of experience with M20s and M40s, and I can assure you they're VERY different than a little x86 PC routing packets, and are significantly faster due to hardware routing. For example, you should be aware of a pf(4) bug that was only recently fixed. Our FreeBSD systems only use ACLs + state track, and have low network I/O (600kbit/sec) -- yet this sort of thing impacts production packets on a webserver: http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/125261 http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c Max committed the fix to CURRENT, and it should be MFC'd on the 11th. I hope it gets backported to RELENG_6 as well, since it's pretty major (IMHO). My point isn't to insult or poke fun at pf or FreeBSD. I'm simply stating "if you really think an x86 box with pf is better than a Juniper, you're sadly mistaken". I'm not telling you to go out and buy a Juniper either, especially if it's out of your price range -- but you really need to be more aware of the differences before toting the "my FreeBSD box can do the job better!" attitude. I'm glad FreeBSD with pf works for you, though. > Moreover, as far I know, the core of Juniper devices is BSD (FreeBSD > especially) based. Correct, JunOS is FreeBSD 4.x-based. On the other hand, I find it amusing that Juniper's routers use ATA disks. A single disk failure results in the system becoming unusable administratively (requiring a reboot), while the routing engine still works fine (e.g. packets are still routed properly, ACLs applied, etc.). Config data is kept on CF, so that isn't lost. You just can't SSH into it, and all you'll see on serial console is repetitive ATA and SMART errors. I've seen this happen on three separate routers on three separate occasions at my workplace. For something that costs so much money, you'd have expected them to go with some form of disk redundancy, SCSI disks, or SSDs. -- | Jeremy Chadwick jdc at parodius.com | | Parodius Networking http://www.parodius.com/ | | UNIX Systems Administrator Mountain View, CA, USA | | Making life hard for others since 1977. PGP: 4BD6C0CB |