[nycbug-talk] home grown firewall solutions ...
Aleksandar Kacanski
kacanski_s at yahoo.com
Sat Mar 11 22:04:11 EST 2006
Thank you for your response.
I happened to worry about DDOS so I am looking for
something to offload. Still I like when someone
comfirm that FBSD+PF is not rocket science to setup...
/s
--- alex at pilosoft.com wrote:
> On Sat, 11 Mar 2006, Aleksandar Kacanski wrote:
>
> > I am interested in putting together a fw solution
> with
> > following specs:
> >
> > 1. Multiple GiGigabitthernet (copper) interface
> ports
> > 2. Any offload PCI based card for firewall or TCP
> > connection handling
> > 3. Over 1 Gbps firewall throughput
> > 4. Over 30,000 new TCP sessions per second
> >
> > I need to manage HTTP traffic... I would like to
> put together two or
> > three boxes with FreeBSD and PF, but don't know of
> many hardware vendors
> > that have some offload PCI based solutions for
> FREEBSD Anybody had
> > experience with putting together something like
> this ?
> The answer is: you don't want to do that.
>
> a) firewall, for filtering, does not need to have
> full tcp establishment
> stack, or need to offload it processing.
>
> b) it is not rocket science to forward 1gbps of
> non-ddos traffic, in fact,
> freebsd will work just fine out of the box on say
> p4/3.0. And, it'll work
> just fine with a reasonable set of pf rules (say, up
> to 100).
>
> c) it is, however, nontrivial to do this with pf
> 'keep state', if that's
> what you want. if you want to keep state, you need
> lots of CPU power
> and/or memory and/or hackery. 30000 new flows/second
> doesn't sound all
> that bad but you will be pushing the limits. No, any
> kind of tcp offload
> will not help.
>
> -alex
>
>
Aleksandar (Sasha) Kacanski
__________________________________________________
Do You Yahoo!?
Tired of spam? Yahoo! Mail has the best spam protection around
http://mail.yahoo.com
More information about the talk
mailing list