[CentOS] Optimizing CentOS for gigabit firewall
Christopher Chan
christopher.chan at bradbury.edu.hk
Mon Dec 21 04:04:59 UTC 2009
RedShift wrote:
> On 12/20/09 16:22, Chan Chung Hang Christopher wrote:
>> Les Mikesell wrote:
>>> Timo Schoeler wrote:
>>>>> What about NetBSD? I heard that NetBSD has the best network stack out
>>>>> there. Maybe NetBSD with pf is the best choice?
>>>> NetBSD is a very nice OS, I personally like it most (out of all BSDs out
>>>> there); however, as can be read on
>>>>
>>>> http://www.netbsd.org/docs/network/pf.html
>>>>
>>>> there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some
>>>> time to see it implemented elsewhere.
>>>>
>>>> One of the biggest strengths of OpenBSD is that it's really a completely
>>>> rounded piece of work. Keep it that way. pf will perform best on
>>>> OpenBSD, with all the nice features it has.
>>> Has anyone used Firewall Builder to create a complex set of iptables
>>> rules? Or compared performance where it built the same thing for
>>> linux/iptables and bsd/pf?
>>>
>>
>> Are you joking? That piece of crap just puts everything into one single
>> chain. I never EVER use Firewall Builder after I saw the results the
>> first time.
>>
>> For a BRIDGING firewall, there is absolutely NO WAY that Linux/netfilter
>> can keep up with OpenBSD/pf. I doubt that Linux/netfilter can even reach
>> half the performance of OpenBSD/pf.
>
> Have you got some figures to back that up? Everybody's saying OpenBSD's pf performance is superior, yet nobody has posted some proof.
>
There were figures before on the Net but this was something like 4 years
ago when I was looking into this. At that time, using Linux for a
bridging firewall was akin to suicide...the chums had to go for FreeBSD
(which they were more familiar with) and later one of them got an
OpenBSD firewall that had lower resource usage for the same load. So
sorry, I cannot give you anything.
But I can say that connection tracking sure chews cpu. I had to not use
any connection tracking in the rules. This is not in a briding scenario.
This was just pure host based filtering. So if you want something
stateful...I have my doubts as to netfilter's performance versus OpenBSD pf.
More information about the CentOS
mailing list