Peter Serwe wrote: > I'll second damn near everything nate said, and hopefully add a tidbit or > two. > > If you're new to BSD, you may want to consider the pfsense project in the > aforementioned active-active configuration. > > It gives you a nice, intuitive gui to manage your failover firewalls, if you > insist on putting a firewall in front of your web servers. > > Better to secure the box, leave only the ports you need open on the public > interfaces, and don't firewall them. > > Also, I'd strongly consider running your firewalls with no disk at all. A > Live CD, CF card or USB Flash to boot off of, remote syslog and > one less subsystem (disks) to buy/fail makes for some mighty cheap 1U > servers. A single dual-core with core speeds above 3.0Ghz > and 4GB of RAM is to pass Gb @ line rate - ethernet overhead. Truth be > told, it's already being done on much less /me going to try to get a diskless OpenBSD setup again. > than that. You can also load balance your traffic, albiet somewhat > primitively with it. If you really want massive throughput, consider toying > around with extremely expensive 10G gear, size RAM appropriately, and see > how PF performs under multi-processor, high-core speed. > but if you're handling over a Gb of traffic and you can't split the > application into multiple farms, that's the best move. > That part about high-core speed for OpenBSD pf is definitely on. The multi-processor part...not too sure. Maybe with NUMA systems like what you get on AMD Opteron platforms.