On 22 Jul 2015, at 9:05 PM, Will Gwin N5KH@n5kh.org wrote:
On 7/22/15 11:17 AM, Brian Kantor wrote:
- Is there a specific reason why you're using FreeBSD vs. Linux?
I would assume that linux's iptables is threaded and could perform better but I don't know for sure.
I don't know either. The existing system was designed when Linux was still a toy and so it wasn't a consideration. I don't know if Linux would be superior in this precise environment; I know that in tests I've made, Linux has shown poorer network performance than FreeBSD.
pf and ipfw on FreeBSD are true stateful firewalls, where no Linux firewall that I'm aware of is truly stateful. iptables treats each packet individually where pf/ipfw will add it as a flow and track bi-directional traffic for the duration of the connection. This is why pf / ipfw are not threaded, however they do automatically optimize rule sets when you load them to be as efficient as possible.
iptables (Netfilter) had stateful connection tracking from day one (AFAIK since ~14 years ago).
Both Linux and BSD network stacks are very mature in both features and performance. Differences exist (I believe FreeBSD is more efficient per packet) but won't matter for AMPRNet (ever) since the kernels are now being tuned to keep up with the fastest NICs on the market (that is, 100Gb/s, which is probably faster than all AMPRNet tunnels combined for the foreseeable future). At work, my colleague runs the 10Gb/s-capable firewall for the whole division with IPFW (no issues, so no need to re-write the policy for PF):
http://stats.meraka.csir.co.za/cacti/graph_view.php?action=tree&tree_id=...
Filtering at a router is a sure fire way to bring throughput to a crawl. Proper campus routers are designed with ASICs optimized for routing in hardware, and fire-walling is done in software. I have seen enterprise small office routers handle 450~500mbps of straight routing but max out around 40mbps when fire-walling because it's CPU bound. The results are similar when stepping up to large chassis routers.
Does the gateway need stateful filtering?
If not, this can be done at line-rate at the router with ACLs.
I would be curious to know if the current gateway is configured to track connection states, and if so, how many concurrent connections it peaks at?