What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
* source and/or destination address in filter, NAT, and redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter ruleoptions."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here.
Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy.
OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;)
Timo
[0] -- http://pcengines.ch/alix.htm
nate
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
HTH,
Timo
I can't find information is there linux or BSD distribution with effective firewall that uses optimized algorithm to store hundreds of IPs and to forward huge traffic. Any idea?
Hundreds?
http://www.openbsd.org/faq/pf/tables.html
"A table is used to hold a group of IPv4 and/or IPv6 addresses. Lookups against a table are very fast and consume less memory and processor time than lists. For this reason, a table is ideal for holding a large group of addresses as the lookup time on a table holding 50,000 addresses is only slightly more than for one holding 50 addresses. Tables can be used in the following ways:
- source and/or destination address in filter, NAT, and
redirection rules. * translation address in NAT rules. * redirection address in redirection rules. * destination address in route-to, reply-to, and dup-to filter rule options."
nuff said ?
I love linux, I've been using it for almost 15 years now, I absolutely hate iptables(and ipchains, and ipfwadm). By contrast I absolutely hate everything about OpenBSD except for pf(which I love, ipfw and ipf aren't too bad either, at least for the era), so I use OpenBSD for firewalls, and linux for everything else.
I can back this; during 2009, I deployed a bunch of load balancers running OpenBSD (using pf, carpd, and relayd). I used to be a super die hard BSD guy, but through the years and having used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then NetBSD again, I took one of my usual once-a-year looks at GNU/Linux (this time, it was CentOS, after having worked with RHEL for some years), I got settled here.
Long story short: I'd really recommend OpenBSD for your task. iptables really sucks. I recently deployed some machines running several virtual instances (however still the cheapest *proven* way to get several IP stacks in Linux) doing L2 routing, I threw iptables off of that machines because it just can't handle stuff at that rate. OpenBSD rocks, I even have a setup running (active-active, load balanced) at about 40Mbps using Alix boards [0] -- they rock, and they are no way busy.
OpenBSDs documentation is the best out there, it's documentational quality is what I really really badly miss in the Linux world. However, the community is a bunch of (sorry in advance) assholes. But this is well known throughout the internet, so: You have been warned. Great product, totally lame vendor. ;)
Timo
[0] -- http://pcengines.ch/alix.htm
nate
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Les Mikesell wrote:
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time.
For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf.
Chan Chung Hang Christopher wrote:
Les Mikesell wrote:
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time.
I haven't used it, but that doesn't seem to match the documentation under "Multiple Rule Sets" here: http://www.fwbuilder.org/docs/firewall_builder_3_features.html
On 12/20/09 16:22, Chan Chung Hang Christopher wrote:
Les Mikesell wrote:
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time.
For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf.
Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof.
Glenn
RedShift wrote:
Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof.
Not sure myself, keep in mind that there are (at least) two different ways to measure firewall performance - connections/second and throughput. There was a url someone posted a few days ago going in depth into tuning of OpenBSD for max performance and mentioned 930Mbit of throughput on a single gigE link.
(all performance numbers assume standard 1500 byte frame sizes) My own testing 5 years ago with no tuning I was able to run iperf at roughly 500Mbit through an OpenBSD pf firewall, with about 30% cpu usage(single cpu, most of it interrupt driven). Someone(s) on the list at the time said I would of gotten more had I used multiple connections. I also recall the system being able to absorb roughly 10,000 connections/second.
It also mentioned(I think) the giant lock in the OpenBSD kernel limiting performance to a single cpu core, I'm not sure the status of the linux locking whether or not iptables can effectively use more than one core.
For me using pf is more about simplicity, the configuration is easy to understand, and very easy to setup. Also setting up redundancy with pfsync is quite easy too(I tried looking for ways to replicate iptables state but all I could find is some experimental patches) Most of my firewalls need less than 1Gbps of throughput, so pf works well.
I would not expect pf, or linux to be able to scale to multi GbE speeds, for that I would go for a firewall appliance something along the lines of a Juniper Netscreen, or perhaps Checkpoint. On occasion I have thought about attempting to use multiple firewalls that are in sync in bridging mode between a pair of switches running static 802.3ad port load balancing to achieve higher overall throughput. Haven't had the time or need to attempt it though.
Maybe if I spent more time with iptables it would be easier to understand, I find the whole user experience with it to be frustrating to say the least. I haven't tried any of the various front ends out there.
I find the userspace environment of OpenBSD to be as equally frustrating as iptables, but for me I just set the box up and really don't touch it much afterwards.
I originally went with FreeBSD about 9 years ago when running bridged firewall/IDS systems, later migrated to OpenBSD for pf, and haven't seen/heard/read of a good reason to try linux again. I do use iptables on occasion for very small setups(single server), but never for multi system setups.
Sample, fairly complicated pf configuration(from 4 years ago): http://portal.aphroland.org/~aphro/master.pf
nate
On Sun, Dec 20, 2009 at 09:58:19AM -0800, nate wrote:
RedShift wrote:
Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof.
Not sure myself, keep in mind that there are (at least) two different ways to measure firewall performance - connections/second and throughput. There was a url someone posted a few days ago going in depth into tuning of OpenBSD for max performance and mentioned 930Mbit of throughput on a single gigE link.
Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box.
Not sure if firewalling was enabled.. most probably not.
-- Pasi
Pasi Kärkkäinen wrote:
Some months ago there was discussions about 10 gbit performance with Linux. Some guys were pushing over 70 Gbit/sec through a single linux box.
Not sure if firewalling was enabled.. most probably not.
what I see consistently with iptables is people writing far too many rules and trying to micromanage traffic when the kernel already knows what its doing. try to keep it super simple.
***BSD's pf rules are just much simpler, it takes far fewer of them to do what you need to do.
RedShift wrote:
On 12/20/09 16:22, Chan Chung Hang Christopher wrote:
Les Mikesell wrote:
Timo Schoeler wrote:
What about NetBSD? I heard that NetBSD has the best network stack out there. Maybe NetBSD with pf is the best choice?
NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on
http://www.netbsd.org/docs/network/pf.html
there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere.
One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has.
Has anyone used Firewall Builder to create a complex set of iptables rules? Or compared performance where it built the same thing for linux/iptables and bsd/pf?
Are you joking? That piece of crap just puts everything into one single chain. I never EVER use Firewall Builder after I saw the results the first time.
For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach half the performance of OpenBSD/pf.
Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof.
There were figures before on the Net but this was something like 4 years ago when I was looking into this. At that time, using Linux for a bridging firewall was akin to suicide...the chums had to go for FreeBSD (which they were more familiar with) and later one of them got an OpenBSD firewall that had lower resource usage for the same load. So sorry, I cannot give you anything.
But I can say that connection tracking sure chews cpu. I had to not use any connection tracking in the rules. This is not in a briding scenario. This was just pure host based filtering. So if you want something stateful...I have my doubts as to netfilter's performance versus OpenBSD pf.
-
Chan Chung Hang Christopher -
Christopher Chan
-
John R Pierce -
Les Mikesell -
nate -
Pasi Kärkkäinen -
RedShift -
sadas sadas -
Timo Schoeler