[nycbug-talk] home grown firewall solutions ...

alex at pilosoft.com alex at pilosoft.com
Sat Mar 11 19:47:22 EST 2006


On Sat, 11 Mar 2006, Aleksandar Kacanski wrote:

> I am interested in putting together a fw solution with
> following specs:
> 
> 1. Multiple GiGigabitthernet (copper) interface ports
> 2. Any offload PCI based card for firewall or TCP
> connection handling
> 3. Over 1 Gbps firewall throughput
> 4. Over 30,000 new TCP sessions per second
> 
> I need to manage HTTP traffic... I would like to put together two or
> three boxes with FreeBSD and PF, but don't know of many hardware vendors
> that have some offload PCI based solutions for FREEBSD Anybody had
> experience with putting together something like this ?
The answer is: you don't want to do that.

a) firewall, for filtering, does not need to have full tcp establishment
stack, or need to offload it processing. 

b) it is not rocket science to forward 1gbps of non-ddos traffic, in fact,
freebsd will work just fine out of the box on say p4/3.0. And, it'll work
just fine with a reasonable set of pf rules (say, up to 100).

c) it is, however, nontrivial to do this with pf 'keep state', if that's
what you want. if you want to keep state, you need lots of CPU power
and/or memory and/or hackery. 30000 new flows/second doesn't sound all
that bad but you will be pushing the limits. No, any kind of tcp offload
will not help.

-alex




More information about the talk mailing list