What solution for gigabit firewall can you suggest? Witch OS and packet filter is capable to atcheave hight performance and gigabit speeds?
Les Mikesell wrote:
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time.
For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
This thread is like a bad joke. You've been given the answer 37 times by 23 people.
Harrow?!!
Peter
On Sun, Dec 20, 2009 at 8:10 AM, sadas sadas mailrc@abv.bg wrote:
What solution for gigabit firewall can you suggest? Witch OS and packet filter is capable to atcheave hight performance and gigabit speeds?
--
Peter Serwe http://truthlightway.blogspot.com/
I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer.
Peter
On Sun, Dec 20, 2009 at 12:50 PM, rainer@ultra-secure.de wrote:
This thread is like a bad joke. You've been given the answer 37 times by 23 people.
Harrow?!!
Well, if all you've got is a hammer, everything will begin to look like a nail. Doesn't it?
;-)
Rainer _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer.
Yeah, but the original poster's only tool seems to be the CentOS sledge-hammer. I could understand him if the answer to his question was "IRIX" or "Buy an IBM mainframe". I think even in large enterprises with a strict policy about what OS and what applications can go into a datacenter, there should be a way to define exceptions. Because there are always cases where the "one-size-fits-all" policy just doesn't fit at all.
Rainer
rainer@ultra-secure.de wrote:
I've got a garage full of tools at my disposal. However, for the task at hand, which is nailing a nail, there is no tool more appropriate than the aforementioned hammer.
Yeah, but the original poster's only tool seems to be the CentOS sledge-hammer. I could understand him if the answer to his question was "IRIX" or "Buy an IBM mainframe". I think even in large enterprises with a strict policy about what OS and what applications can go into a datacenter, there should be a way to define exceptions. Because there are always cases where the "one-size-fits-all" policy just doesn't fit at all.
I think the original poster was more interested in separating billing for different addresses than typical firewall tasks anyway. And in that case it might make more sense to use netflow reports from the gateway router if if has the capability, or per-interface traffic on the downstream switch ports.
Peter Serwe wrote:
This thread is like a bad joke. You've been given the answer 37 times by 23 people.
And yet, none of those responses provided any objective measurements or links to test results. Not only were most just opinions, many said the opinions were based on first impressions of old versions of things long ago.
-
Les Mikesell -
Peter Serwe -
rainer@ultra-secure.de -
sadas sadas