<HTML><BODY>
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?<br><br><br><br><timo.schoeler@riscworks.net><centos@centos.org> >>> I can't find information is there linux or BSD distribution with effective<br> >>> firewall that uses optimized algorithm to store hundreds of IPs and to<br> >>> forward huge traffic. Any idea?<br> >> <br> >> Hundreds?<br> >> <br> >> http://www.openbsd.org/faq/pf/tables.html<br> >> <br> >> "A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups<br> >> against a table are very fast and consume less memory and processor time<br> >> than lists. For this reason, a table is ideal for holding a large group of<br> >> addresses as the lookup time on a table holding 50,000 addresses is only<br> >> slightly more than for one holding 50 addresses. Tables can be used in the<br> >> following ways:<br> >> <br> >> * source and/or destination address in filter, NAT, and redirection rules.<br> >> * translation address in NAT rules.<br> >> * redirection address in redirection rules.<br> >> * destination address in route-to, reply-to, and dup-to filter rule<br> >> options."<br> >> <br> >> nuff said ?<br> >> <br> >> I love linux, I've been using it for almost 15 years now, I absolutely<br> >> hate iptables(and ipchains, and ipfwadm). By contrast I absolutely<br> >> hate everything about OpenBSD except for pf(which I love, ipfw and<br> >> ipf aren't too bad either, at least for the era), so I use OpenBSD<br> >> for firewalls, and linux for everything else.<br> ><br> >I can back this; during 2009, I deployed a bunch of load balancers<br> >running OpenBSD (using pf, carpd, and relayd). I used to be a super die<br> >hard BSD guy, but through the years and having used/deployed/propagated<br> >NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my<br> >usual once-a-year looks at GNU/Linux (this time, it was CentOS, after<br> >having worked with RHEL for some years), I got settled here.<br> ><br> >Long story short: I'd really recommend OpenBSD for your task. iptables<br> >really sucks. I recently deployed some machines running several virtual<br> >instances (however still the cheapest *proven* way to get several IP<br> >stacks in Linux) doing L2 routing, I threw iptables off of that machines<br> >because it just can't handle stuff at that rate. OpenBSD rocks, I even<br> >have a setup running (active-active, load balanced) at about 40Mbps<br> >using Alix boards [0] -- they rock, and they are no way busy.<br> ><br> >OpenBSDs documentation is the best out there, it's documentational<br> >quality is what I really really badly miss in the Linux world. However,<br> >the community is a bunch of (sorry in advance) assholes. But this is<br> >well known throughout the internet, so: You have been warned. Great<br> >product, totally lame vendor. ;)<br> ><br> >Timo<br> ><br> >[0] -- http://pcengines.ch/alix.htm<br> ><br> >> nate<br> >_______________________________________________<br> >CentOS mailing list<br> >CentOS@centos.org<br> >http://lists.centos.org/mailman/listinfo/centos<br> > </centos@centos.org></timo.schoeler@riscworks.net></BODY></HTML>