22 Jul
2015
22 Jul
'15
4:32 p.m.
On 22 Jul 2015, at 9:05 PM, Will Gwin <N5KH(a)n5kh.org> wrote:
On 7/22/15 11:17 AM, Brian Kantor wrote:
pf and ipfw on FreeBSD are true stateful firewalls, where no Linux firewall that I'm
aware of is truly stateful. iptables treats each packet individually where pf/ipfw will
add it as a flow and track bi-directional traffic for the duration of the connection. This
is why pf / ipfw are not threaded, however they do automatically optimize rule sets when
you load them to be as efficient as possible.
iptables (Netfilter) had stateful connection tracking from day one (AFAIK since ~14 years
ago).
Both Linux and BSD network stacks are very mature in both features and performance.
Differences exist (I believe FreeBSD is more efficient per packet) but won't matter
for AMPRNet (ever) since the kernels are now being tuned to keep up with the fastest NICs
on the market (that is, 100Gb/s, which is probably faster than all AMPRNet tunnels
combined for the foreseeable future). At work, my colleague runs the 10Gb/s-capable
firewall for the whole division with IPFW (no issues, so no need to re-write the policy
for PF):
http://stats.meraka.csir.co.za/cacti/graph_view.php?action=tree&tree_id…
2. Is
there a specific reason why you're using FreeBSD vs. Linux?
I would assume that linux's iptables is threaded and could perform
better but I don't know for sure.
I don't know either. The existing system was designed when Linux was
still a toy and so it wasn't a consideration. I don't know if Linux
would be superior in this precise environment; I know that in tests
I've made, Linux has shown poorer network performance than FreeBSD. Filtering at a router is a sure fire way to bring
throughput to a crawl. Proper campus routers are designed with ASICs optimized for routing
in hardware, and fire-walling is done in software. I have seen enterprise small office
routers handle 450~500mbps of straight routing but max out around 40mbps when fire-walling
because it's CPU bound. The results are similar when stepping up to large chassis
routers.
Does the gateway need stateful filtering?
If not, this can be done at line-rate at the router with ACLs.
I would be curious to know if the current gateway is configured to track connection
states, and if so, how many concurrent connections it peaks at?