On 7/22/15 11:17 AM, Brian Kantor wrote:
- Is there a specific reason why you're using FreeBSD vs. Linux?
I would assume that linux's iptables is threaded and could perform better but I don't know for sure.
I don't know either. The existing system was designed when Linux was still a toy and so it wasn't a consideration. I don't know if Linux would be superior in this precise environment; I know that in tests I've made, Linux has shown poorer network performance than FreeBSD.
pf and ipfw on FreeBSD are true stateful firewalls, where no Linux firewall that I'm aware of is truly stateful. iptables treats each packet individually where pf/ipfw will add it as a flow and track bi-directional traffic for the duration of the connection. This is why pf / ipfw are not threaded, however they do automatically optimize rule sets when you load them to be as efficient as possible.
- I liked Tom Hayward's idea to automatically filter netblocks
that aren't activated in the portal / DNS. That seems like a very cheap way to knock out known bogus traffic. Ideally this would be done at the farthest edge of the network to prevent the traffic from ever even reaching the Dell server.
It's a good idea but unfortunately impractical; to do so requires administrative access to the campus border router that we don't have.
Filtering at a router is a sure fire way to bring throughput to a crawl. Proper campus routers are designed with ASICs optimized for routing in hardware, and fire-walling is done in software. I have seen enterprise small office routers handle 450~500mbps of straight routing but max out around 40mbps when fire-walling because it's CPU bound. The results are similar when stepping up to large chassis routers.
A better option in my opinion is splitting up tunnelling and fire-walling onto separate machines. This would allow which ever system can handle fire-walling or tunnelling best to be configured for each task and would increase throughput capacity. Of course this does require more rack-space, power, cooling, another system to configure, and someone with the time and energy to set it up.