[CentOS] Optimizing CentOS for gigabit firewall

Sun Dec 20 17:58:19 UTC 2009
nate <centos at linuxpowered.net>

RedShift wrote:

> Have you got some figures to back that up? Everybody's saying OpenBSD's pf
> performance is superior, yet nobody has posted some proof.

Not sure myself, keep in mind that there are (at least) two different
ways to measure firewall performance - connections/second and
throughput. There was a url someone posted a few days ago going in depth
into tuning of OpenBSD for max performance and mentioned 930Mbit of
throughput on a single gigE link.

(all performance numbers assume standard 1500 byte frame sizes)
My own testing 5 years ago with no tuning I was able to run iperf
at roughly 500Mbit through an OpenBSD pf firewall, with about 30%
cpu usage(single cpu, most of it interrupt driven). Someone(s) on
the list at the time said I would of gotten more had I used
multiple connections. I also recall the system being able to absorb
roughly 10,000 connections/second.

It also mentioned(I think) the giant lock in the OpenBSD kernel limiting
performance to a single cpu core, I'm not sure the status of the linux
locking whether or not iptables can effectively use more than one core.

For me using pf is more about simplicity, the configuration is easy
to understand, and very easy to setup. Also setting up redundancy with
pfsync is quite easy too(I tried looking for ways to replicate iptables
state but all I could find is some experimental patches) Most of my
firewalls need less than 1Gbps of throughput, so pf works well.

I would not expect pf, or linux to be able to scale to multi GbE
speeds, for that I would go for a firewall appliance something along
the lines of a Juniper Netscreen, or perhaps Checkpoint. On occasion
I have thought about attempting to use multiple firewalls that
are in sync in bridging mode between a pair of switches  running
static 802.3ad port load balancing to achieve higher overall
throughput. Haven't had the time or need to attempt it though.

Maybe if I spent more time with iptables it would be easier to
understand, I find the whole user experience with it to be
frustrating to say the least. I haven't tried any of the various
front ends out there.

I find the userspace environment of OpenBSD to be as equally
frustrating as iptables, but for me I just set the box up and
really don't touch it much afterwards.

I originally went with FreeBSD about 9 years ago when running
bridged firewall/IDS systems, later migrated to OpenBSD for
pf, and haven't seen/heard/read of a good reason to try linux
again. I do use iptables on occasion for very small setups(single
server), but never for multi system setups.

Sample, fairly complicated pf configuration(from 4 years ago):
http://portal.aphroland.org/~aphro/master.pf

nate