Peter Serwe wrote:
I'll second damn near everything nate said, and hopefully add a tidbit or two.
If you're new to BSD, you may want to consider the pfsense project in the aforementioned active-active configuration.
It gives you a nice, intuitive gui to manage your failover firewalls, if you insist on putting a firewall in front of your web servers.
Better to secure the box, leave only the ports you need open on the public interfaces, and don't firewall them.
Also, I'd strongly consider running your firewalls with no disk at all. A Live CD, CF card or USB Flash to boot off of, remote syslog and one less subsystem (disks) to buy/fail makes for some mighty cheap 1U servers. A single dual-core with core speeds above 3.0Ghz and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be told, it's already being done on much less
/me going to try to get a diskless OpenBSD setup again.
than that. You can also load balance your traffic, albiet somewhat primitively with it. If you really want massive throughput, consider toying around with extremely expensive 10G gear, size RAM appropriately, and see how PF performs under multi-processor, high-core speed. but if you're handling over a Gb of traffic and you can't split the application into multiple farms, that's the best move.
That part about high-core speed for OpenBSD pf is definitely on. The multi-processor part...not too sure. Maybe with NUMA systems like what you get on AMD Opteron platforms.