Date: Wed, 06 Aug 2008 12:49:00 +0200 From: Jordi Espasa Clofent <jespasac@minibofh.org> To: freebsd-hackers@freebsd.org Subject: Re: Q: case studies about scalable, enterprise-class firewall w/ IPFilter Message-ID: <4899819C.3090502@minibofh.org> In-Reply-To: <20080806094411.GA51807@eos.sc1.parodius.com> References: <20080805080520.GB3063@rebelion.Sisis.de> <0FCFCF6165E968449991746EB91D614D142FD4@antipi.jnpr.net> <48995F1F.4010209@minibofh.org> <20080806094411.GA51807@eos.sc1.parodius.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> I'm amazed at the fact that people are actually comparing FreeBSD with > pf to Juniper routers. I've a bit of experience with M20s and M40s, and > I can assure you they're VERY different than a little x86 PC routing > packets, and are significantly faster due to hardware routing. > > For example, you should be aware of a pf(4) bug that was only recently > fixed. Our FreeBSD systems only use ACLs + state track, and have low > network I/O (600kbit/sec) -- yet this sort of thing impacts production > packets on a webserver: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/125261 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c > > Max committed the fix to CURRENT, and it should be MFC'd on the 11th. I > hope it gets backported to RELENG_6 as well, since it's pretty major > (IMHO). Yes. That's my main personal reason to work with OpenBSD instead of FreeBSD when I need PF dedicated device. > My point isn't to insult or poke fun at pf or FreeBSD. I'm simply > stating "if you really think an x86 box with pf is better than a > Juniper, you're sadly mistaken". I'm not telling you to go out and buy > a Juniper either, especially if it's out of your price range -- but you > really need to be more aware of the differences before toting the "my > FreeBSD box can do the job better!" attitude. I'm glad FreeBSD with pf > works for you, though. Good reasoning Jeremy. I don't say that x86 pf-based box is better than Juniper. I only comment that, in my case, I do all I need with two standard boxes instead of expensive Juniper device. Anyway it's clear if one day the best solution is Juniper device, I will purchase it. But at present moment, isn't (300Mpbs/500Mpbs) > On the other hand, I find it amusing that Juniper's routers use ATA > disks. A single disk failure results in the system becoming unusable > administratively (requiring a reboot), while the routing engine still > works fine (e.g. packets are still routed properly, ACLs applied, > etc.). Config data is kept on CF, so that isn't lost. You just can't > SSH into it, and all you'll see on serial console is repetitive ATA and > SMART errors. I've seen this happen on three separate routers on three > separate occasions at my workplace. Interesting. My OpenBSD+PF FWs runs at present with ATA disks also, but I'm designing a CF-based new implementation. ;) -- Thanks, Jordi Espasa Clofent
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4899819C.3090502>