[nycbug-talk] home grown firewall solutions ...

Trish Lynch trish at bsdunix.net
Mon Mar 13 11:23:16 EST 2006 

On Sat, 11 Mar 2006 alex at pilosoft.com wrote:

> On Sat, 11 Mar 2006, Aleksandar Kacanski wrote:
>
>> I am interested in putting together a fw solution with
>> following specs:
>>
>> 1. Multiple GiGigabitthernet (copper) interface ports
>> 2. Any offload PCI based card for firewall or TCP
>> connection handling
>> 3. Over 1 Gbps firewall throughput
>> 4. Over 30,000 new TCP sessions per second
>>
>> I need to manage HTTP traffic... I would like to put together two or
>> three boxes with FreeBSD and PF, but don't know of many hardware vendors
>> that have some offload PCI based solutions for FREEBSD Anybody had
>> experience with putting together something like this ?
> The answer is: you don't want to do that.
>
> a) firewall, for filtering, does not need to have full tcp establishment
> stack, or need to offload it processing.
>
> b) it is not rocket science to forward 1gbps of non-ddos traffic, in fact,
> freebsd will work just fine out of the box on say p4/3.0. And, it'll work
> just fine with a reasonable set of pf rules (say, up to 100).
>
> c) it is, however, nontrivial to do this with pf 'keep state', if that's
> what you want. if you want to keep state, you need lots of CPU power
> and/or memory and/or hackery. 30000 new flows/second doesn't sound all
> that bad but you will be pushing the limits. No, any kind of tcp offload
> will not help.
>
> -alex
>

Exactly.

The people who manage to do this within a manageable cost will become 
billionaires, in my opinion (I have some ideas on how to do this, along 
with a current work-mate, but we need funding, and until we get it, we're 
keeping our ideas under wraps, until the patents go through, as we'd like 
to keep our money.

Lets just say, it *is* non-trivial to keep track of this amount of flows 
and state of each, but it can be simplified, and the hackery is nothing 
short of magic :)

-Trish



-- 
Trish Lynch					   trish at bsdunix.net
Ecartis Core Team 			      trish at listmistress.org
Key fingerprint = 781D 2B47 AA4B FC88 B919  0CD6 26B2 1D62 6FC1 FF16

More information about the talk mailing list