after quick search in google:
I will test to patch latest linux kernel with pf. What do you thing?
sadas sadas wrote:
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
- source and/or destination address in filter, NAT, and redirection rules.
- translation address in NAT rules.
- redirection address in redirection rules.
- destination address in route-to, reply-to, and dup-to filter rule
options."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
after quick search in google:
I will test to patch latest linux kernel with pf. What do you thing?
Get OpenBSD. Honestly -- all the porting stuff of relatively kernel-close stuff is just braindead.
Timo
sadas sadas wrote:
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
- source and/or destination address in filter, NAT, and redirection rules.
- translation address in NAT rules.
- redirection address in redirection rules.
- destination address in route-to, reply-to, and dup-to filter rule
options."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
nate
after quick search in google:
I will test to patch latest linux kernel with pf.
Hey! Wait: "The name of this patchset is not connected with BSD Packet Filter. «pf» means «post-factum» in the short form."
What do you thing?
Get OpenBSD. Honestly -- all the porting stuff of relatively kernel-close stuff is just braindead.
If you need PF, get OpenBSD.
You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it.
and...
Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux.
If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else.
I don't care how you pretty up iptables and it's predecessor, ipchains, it's still a black eye on Linux comparatively speaking.
Berkeley invented TCP/IP, the Berkeley TCP/IP stack is implemented on just about every platform/OS combination there is.
Berkeley *is* networking. And yes, the community around BSD are assholes, but they are semi-entitled. Their shit is way better documented than just about anything else in Open Source, including most things Linux.
Peter
On Fri, Dec 18, 2009 at 12:16 PM, sadas sadas mailrc@abv.bg wrote:
after quick search in google:
I will test to patch latest linux kernel with pf. What do you thing?
--
Peter Serwe http://truthlightway.blogspot.com/
On 12/18/2009 10:12 PM, Peter Serwe wrote:
You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it.
and...
Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux.
If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else.
I don't care how you pretty up iptables and it's predecessor, ipchains, it's still a black eye on Linux comparatively speaking.
Berkeley invented TCP/IP, the Berkeley TCP/IP stack is implemented on just about every platform/OS combination there is.
Berkeley *is* networking. And yes, the community around BSD are assholes,
(I'd like to say that all other BSD communities are very friendly; the one exception is the OpenBSD guys. OTOH, they're sometimes more than on the right track: E.g., when they say 'open source', they mean it. GNU/Linux is as lame as the FreeBSD guys, as both allow tainted stuff, as binary-only drivers (nVidia, e.g.). NetBSD is neither nor.
Timo
but they are semi-entitled. Their shit is way better documented than just about anything else in Open Source, including most things Linux.
Peter
On 12/18/2009 4:12 PM, Peter Serwe wrote:
You can't patch the Berkeley Packet Filter into Linux. Linux kernel doesn't support it.
and...
Despite a cacophonous chorus of replies directing you to the right tool for the job, you insist on sticking with Linux.
If you want to use the wrong tool for the job, by all means, use ipset/iptables - have a great time with it. When it doesn't give you the performance you want, then you will probably go buy something else.
Or wrap it up using Shorewall or one of the other meta tools that manage the iptable chains for you.
sadas sadas wrote:
after quick search in google:
I will test to patch latest linux kernel with pf. What do you thing?
Don't know, my first bet would be to try Debian/BSD and see if ipf is in there, it's not officially released yet but it will be in the next major release of Debian.
http://www.debian.org/News/2009/20091007
nate (been using debian for ~12 years)
-
Matias Sardisco -
nate -
Peter Serwe -
sadas sadas -
Thomas Harold -
Timo Schoeler