Date: Mon, 22 Nov 2004 21:16:47 +0100 From: Max Laier <max@love2party.net> To: freebsd-net@freebsd.org Cc: Pawel Malachowski <pawmal-posting@freebsd.lublin.pl> Subject: Re: Large NAT: ipf/ipnat, pf - opinions? Message-ID: <200411222117.35177.max@love2party.net> In-Reply-To: <20041122182912.GA33296@shellma.zin.lublin.pl> References: <20041122182912.GA33296@shellma.zin.lublin.pl>
next in thread | previous in thread | raw e-mail | index | archive | help
--nextPart3120092.GfOCXkcoAV Content-Type: text/plain; charset="iso-8859-2" Content-Transfer-Encoding: quoted-printable Content-Disposition: inline On Monday 22 November 2004 19:29, Pawel Malachowski wrote: > I'm interested in opinions/comparisons how ipnat and pf perform > on FreeBSD 5.x in real working large NAT setups (about 50Mbit/s, few > thousands of workstations, 300k of mappings or more). Problems noticed, > memory and CPU consumption, mbufs utilization etc. While the state information in pf is slightly larger than that of ipfilter= =20 (and thus the memory consumption). pf offers many functionalities that make= =20 it the "easier-to-manage" tool. There are also a couple of optimizations in= =20 pf that should make it perform better, but only measuring your specific=20 application can tell you which is the better for you. I'd guess that pf can= =20 lift the load described above with an average workstation (good NICs and=20 plenty of RAM provided). Note, however, that for CPU consumption packets pe= r=20 second is the important factor. For pf - with it's stateful inspection -=20 connection initialization has some meaning as well (once established, passi= ng=20 more traffic through a connection is cheap). Depending on your application, you might find pf's TABLES which greatly=20 improve management of large IP-sets. There are also many options to fine-tu= ne=20 the number of concurrent states that a (NAT)rule can create. This helps to= =20 keep down memory consumption during DDoS-Attacks. The additional "adaptive= =20 timeouts" can also help to manage load peaks. That is comparing pf 3.5 (what is in RELENG_5) with ipfilter 3.x (also in=20 RELENG_5). ipfilter 4.x has gained some, but isn't included in FreeBSD. =2D-=20 /"\ Best regards, | mlaier@freebsd.org \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | mlaier@EFnet / \ ASCII Ribbon Campaign | Against HTML Mail and News --nextPart3120092.GfOCXkcoAV Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.6 (FreeBSD) iD8DBQBBoklfXyyEoT62BG0RAm44AJ97LltR9sDHGbE0MN8pkwMdt0722gCfbtiT A+s77MpaW1zInUydcy5qTok= =n0GP -----END PGP SIGNATURE----- --nextPart3120092.GfOCXkcoAV--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200411222117.35177.max>