From owner-freebsd-questions@FreeBSD.ORG  Sun Jul 13 11:09:31 2008
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 80661106564A
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Jul 2008 11:09:31 +0000 (UTC)
	(envelope-from ohartman@mail.zedat.fu-berlin.de)
Received: from outpost1.zedat.fu-berlin.de (outpost1.zedat.fu-berlin.de
	[130.133.4.66]) by mx1.freebsd.org (Postfix) with ESMTP id 37AE68FC08
	for <freebsd-questions@freebsd.org>;
	Sun, 13 Jul 2008 11:09:31 +0000 (UTC)
	(envelope-from ohartman@mail.zedat.fu-berlin.de)
Received: from inpost2.zedat.fu-berlin.de ([130.133.4.69])
	by outpost1.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-questions@freebsd.org with esmtp
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1KHz9n-0006oD-St>; Sun, 13 Jul 2008 12:50:19 +0200
Received: from e178053019.adsl.alicedsl.de ([85.178.53.19]
	helo=thor.walstatt.dyndns.org)
	by inpost2.zedat.fu-berlin.de (Exim 4.69)
	for freebsd-questions@freebsd.org with esmtpsa
	(envelope-from <ohartman@mail.zedat.fu-berlin.de>)
	id <1KHz9n-00031k-QF>; Sun, 13 Jul 2008 12:50:19 +0200
Message-ID: <4879DDEC.1010508@mail.zedat.fu-berlin.de>
Date: Sun, 13 Jul 2008 12:50:20 +0200
From: "O. Hartmann" <ohartman@mail.zedat.fu-berlin.de>
User-Agent: Thunderbird 2.0.0.14 (X11/20080627)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: 85.178.53.19
Subject: FreeBSD 7.X/8.0: Firewall performance with pf,
 ipfw or ipf? Any benchmarks available?
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 13 Jul 2008 11:09:31 -0000

Hello,

since FreeBSD 5.0 I was using 'pf' as the packet filter on FreeBSD due 
to some performance advantages over ipfw in the time when FreeBSD was 
introduced. Now I'm al littel bit detached from development and status 
quo. I read about problems in FreeBSD 7 when using 'pf' in a bridged 
environment, CPU load increaeses and packet drops are the result (on an 
IBM Server with Intel em0/1 NICs).
Well, I'm pleased that FreeBSD comes with at least three packet filters 
(ipfw, ipf, pf), but at the end, the choice is up to me and in question 
of the better support and performance this leaves me alone in the dark. 
So, does any of the network experts do have benchmarked any of the 
packet  filters? what is the preferred selection if someone would like 
to have a 'simple' packetfilter (no usage of special features of one of 
the mentioned packetfilters except of bridging and LAGG)? Talking about 
FreeBSD 8's virtualiziation capabilities on network stack: will this 
have implications on what filter will work or not (if ever, I do not 
know how abstract this virtualization is indeed from the packet 
filtering layer).

So, sorry for the little confuses,

Oliver