From owner-freebsd-hackers@FreeBSD.ORG Wed Aug 6 10:49:03 2008 Return-Path: Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id AEEA71065687 for ; Wed, 6 Aug 2008 10:49:03 +0000 (UTC) (envelope-from jespasac@minibofh.org) Received: from smtp01.cdmon.com (smtp01.cdmon.com [212.36.75.232]) by mx1.freebsd.org (Postfix) with ESMTP id 70BF88FC18 for ; Wed, 6 Aug 2008 10:49:03 +0000 (UTC) (envelope-from jespasac@minibofh.org) Received: from jespasac.cdmon.com (62.Red-217-126-43.staticIP.rima-tde.net [217.126.43.62]) by smtp01.cdmon.com (Postfix) with ESMTP id 6E014F78E6 for ; Wed, 6 Aug 2008 12:49:01 +0200 (CEST) Message-ID: <4899819C.3090502@minibofh.org> Date: Wed, 06 Aug 2008 12:49:00 +0200 From: Jordi Espasa Clofent User-Agent: Thunderbird 2.0.0.16 (X11/20080724) MIME-Version: 1.0 To: freebsd-hackers@freebsd.org References: <20080805080520.GB3063@rebelion.Sisis.de> <0FCFCF6165E968449991746EB91D614D142FD4@antipi.jnpr.net> <48995F1F.4010209@minibofh.org> <20080806094411.GA51807@eos.sc1.parodius.com> In-Reply-To: <20080806094411.GA51807@eos.sc1.parodius.com> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Subject: Re: Q: case studies about scalable, enterprise-class firewall w/ IPFilter X-BeenThere: freebsd-hackers@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Technical Discussions relating to FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 06 Aug 2008 10:49:03 -0000 > I'm amazed at the fact that people are actually comparing FreeBSD with > pf to Juniper routers. I've a bit of experience with M20s and M40s, and > I can assure you they're VERY different than a little x86 PC routing > packets, and are significantly faster due to hardware routing. > > For example, you should be aware of a pf(4) bug that was only recently > fixed. Our FreeBSD systems only use ACLs + state track, and have low > network I/O (600kbit/sec) -- yet this sort of thing impacts production > packets on a webserver: > > http://www.freebsd.org/cgi/query-pr.cgi?pr=kern/125261 > http://www.freebsd.org/cgi/cvsweb.cgi/src/sys/contrib/pf/net/pf.c > > Max committed the fix to CURRENT, and it should be MFC'd on the 11th. I > hope it gets backported to RELENG_6 as well, since it's pretty major > (IMHO). Yes. That's my main personal reason to work with OpenBSD instead of FreeBSD when I need PF dedicated device. > My point isn't to insult or poke fun at pf or FreeBSD. I'm simply > stating "if you really think an x86 box with pf is better than a > Juniper, you're sadly mistaken". I'm not telling you to go out and buy > a Juniper either, especially if it's out of your price range -- but you > really need to be more aware of the differences before toting the "my > FreeBSD box can do the job better!" attitude. I'm glad FreeBSD with pf > works for you, though. Good reasoning Jeremy. I don't say that x86 pf-based box is better than Juniper. I only comment that, in my case, I do all I need with two standard boxes instead of expensive Juniper device. Anyway it's clear if one day the best solution is Juniper device, I will purchase it. But at present moment, isn't (300Mpbs/500Mpbs) > On the other hand, I find it amusing that Juniper's routers use ATA > disks. A single disk failure results in the system becoming unusable > administratively (requiring a reboot), while the routing engine still > works fine (e.g. packets are still routed properly, ACLs applied, > etc.). Config data is kept on CF, so that isn't lost. You just can't > SSH into it, and all you'll see on serial console is repetitive ATA and > SMART errors. I've seen this happen on three separate routers on three > separate occasions at my workplace. Interesting. My OpenBSD+PF FWs runs at present with ATA disks also, but I'm designing a CF-based new implementation. ;) -- Thanks, Jordi Espasa Clofent