> What about NetBSD? I heard that NetBSD has the best network stack out > there. Maybe NetBSD with pf is the best choice? NetBSD is a very nice OS, I personally like it most (out of all BSDs out there); however, as can be read on http://www.netbsd.org/docs/network/pf.html there's the 'usual lag': OpenBSD implements feature X in 4.6, wait some time to see it implemented elsewhere. One of the biggest strengths of OpenBSD is that it's really a completely rounded piece of work. Keep it that way. pf will perform best on OpenBSD, with all the nice features it has. HTH, Timo >>>> I can't find information is there linux or BSD distribution >>>> with effective firewall that uses optimized algorithm to store >>>> hundreds of IPs and to forward huge traffic. Any idea? >>> >>> Hundreds? >>> >>> http://www.openbsd.org/faq/pf/tables.html >>> >>> "A table is used to hold a group of IPv4 and/or IPv6 addresses. >>> Lookups against a table are very fast and consume less memory and >>> processor time than lists. For this reason, a table is ideal for >>> holding a large group of addresses as the lookup time on a table >>> holding 50,000 addresses is only slightly more than for one >>> holding 50 addresses. Tables can be used in the following ways: >>> >>> * source and/or destination address in filter, NAT, and >>> redirection rules. * translation address in NAT rules. * >>> redirection address in redirection rules. * destination address >>> in route-to, reply-to, and dup-to filter rule options." >>> >>> nuff said ? >>> >>> I love linux, I've been using it for almost 15 years now, I >>> absolutely hate iptables(and ipchains, and ipfwadm). By contrast >>> I absolutely hate everything about OpenBSD except for pf(which I >>> love, ipfw and ipf aren't too bad either, at least for the era), >>> so I use OpenBSD for firewalls, and linux for everything else. >> >> I can back this; during 2009, I deployed a bunch of load balancers >> running OpenBSD (using pf, carpd, and relayd). I used to be a super >> die hard BSD guy, but through the years and having >> used/deployed/propagated NetBSD, then FreeBSD, then OpenBSD, then >> NetBSD again, I took one of my usual once-a-year looks at GNU/Linux >> (this time, it was CentOS, after having worked with RHEL for some >> years), I got settled here. >> >> Long story short: I'd really recommend OpenBSD for your task. >> iptables really sucks. I recently deployed some machines running >> several virtual instances (however still the cheapest *proven* way >> to get several IP stacks in Linux) doing L2 routing, I threw >> iptables off of that machines because it just can't handle stuff at >> that rate. OpenBSD rocks, I even have a setup running >> (active-active, load balanced) at about 40Mbps using Alix boards >> [0] -- they rock, and they are no way busy. >> >> OpenBSDs documentation is the best out there, it's documentational >> quality is what I really really badly miss in the Linux world. >> However, the community is a bunch of (sorry in advance) assholes. >> But this is well known throughout the internet, so: You have been >> warned. Great product, totally lame vendor. ;) >> >> Timo >> >> [0] -- http://pcengines.ch/alix.htm >> >>> nate