RedShift wrote: > Have you got some figures to back that up? Everybody's saying OpenBSD's pf > performance is superior, yet nobody has posted some proof. Not sure myself, keep in mind that there are (at least) two different ways to measure firewall performance - connections/second and throughput. There was a url someone posted a few days ago going in depth into tuning of OpenBSD for max performance and mentioned 930Mbit of throughput on a single gigE link. (all performance numbers assume standard 1500 byte frame sizes) My own testing 5 years ago with no tuning I was able to run iperf at roughly 500Mbit through an OpenBSD pf firewall, with about 30% cpu usage(single cpu, most of it interrupt driven). Someone(s) on the list at the time said I would of gotten more had I used multiple connections. I also recall the system being able to absorb roughly 10,000 connections/second. It also mentioned(I think) the giant lock in the OpenBSD kernel limiting performance to a single cpu core, I'm not sure the status of the linux locking whether or not iptables can effectively use more than one core. For me using pf is more about simplicity, the configuration is easy to understand, and very easy to setup. Also setting up redundancy with pfsync is quite easy too(I tried looking for ways to replicate iptables state but all I could find is some experimental patches) Most of my firewalls need less than 1Gbps of throughput, so pf works well. I would not expect pf, or linux to be able to scale to multi GbE speeds, for that I would go for a firewall appliance something along the lines of a Juniper Netscreen, or perhaps Checkpoint. On occasion I have thought about attempting to use multiple firewalls that are in sync in bridging mode between a pair of switches running static 802.3ad port load balancing to achieve higher overall throughput. Haven't had the time or need to attempt it though. Maybe if I spent more time with iptables it would be easier to understand, I find the whole user experience with it to be frustrating to say the least. I haven't tried any of the various front ends out there. I find the userspace environment of OpenBSD to be as equally frustrating as iptables, but for me I just set the box up and really don't touch it much afterwards. I originally went with FreeBSD about 9 years ago when running bridged firewall/IDS systems, later migrated to OpenBSD for pf, and haven't seen/heard/read of a good reason to try linux again. I do use iptables on occasion for very small setups(single server), but never for multi system setups. Sample, fairly complicated pf configuration(from 4 years ago): http://portal.aphroland.org/~aphro/master.pf nate