22 Jul
2015
22 Jul
'15
2:05 p.m.
On 7/22/15 11:17 AM, Brian Kantor wrote:
pf and ipfw on FreeBSD are true stateful firewalls, where no Linux firewall that I'm
aware of is truly stateful. iptables treats each packet individually where pf/ipfw will
add it as a flow and track bi-directional traffic for the duration of the connection. This
is why pf / ipfw are not threaded, however they do automatically optimize rule sets when
you load them to be as efficient as possible.
Filtering at a router is a sure fire way to bring throughput to a crawl. Proper campus
routers are designed with ASICs optimized for routing in hardware, and fire-walling is
done in software. I have seen enterprise small office routers handle 450~500mbps of
straight routing but max out around 40mbps when fire-walling because it's CPU bound.
The results are similar when stepping up to large chassis routers.
A better option in my opinion is splitting up tunnelling and fire-walling onto separate
machines. This would allow which ever system can handle fire-walling or tunnelling best to
be configured for each task and would increase throughput capacity. Of course this does
require more rack-space, power, cooling, another system to configure, and someone with the
time and energy to set it up.
--
Will
2. Is there
a specific reason why you're using FreeBSD vs. Linux?
I would assume that linux's iptables is threaded and could perform
better but I don't know for sure.
I don't know either. The existing system was designed when Linux was
still a toy and so it wasn't a consideration. I don't know if Linux
would be superior in this precise environment; I know that in tests
I've made, Linux has shown poorer network performance than FreeBSD. 3. I liked
Tom Hayward's idea to automatically filter netblocks
that aren't activated in the portal / DNS. That seems like a very
cheap way to knock out known bogus traffic. Ideally this would be
done at the farthest edge of the network to prevent the traffic from
ever even reaching the Dell server.
It's a good idea but unfortunately impractical; to do so requires
administrative access to the campus border router that we don't have.