Re: Security: FreeBSD vs OpenBSD

[Darren Reed <avalon@coombs.anu.edu.au>]

In some mail from Chris, sie said:
> 
> At 06:31 PM 04/02/2002 +1100, Darren Reed wrote:
> >In some mail from Luiz Gustavo, sie said:
> > >
> > > On Mon, Feb 04, 2002 at 01:40:08AM -0200, rss@cin.ufpe.br wrote:
> > > > And I prefer the redirect stuff... you can block some
> > > > range of hight ports and use it for redirecting. Or start a
> > > > jail for every service.
> > >
> > >  I dont think abuse of rdr on servers looks good, why you will need
> > >  pf *running* on every server?
> >
> >And the problem is?
> >
> >I know companies that use IPFilter on every server/desktop
> >running Unix.
> >
> >Darren
> 
>  From an administration, security, and policy standpoint running a packet 
> filter on every machine seems like a fine idea to me.  Could there be 
> performance issues though?  I don't have anything close to "high-volume" 
> machines running anywhere, so I've never seen the performance impact of IPF 
> or pf under load.

In those scenarios (as opposed to firewalls), the filter list is
generally much shorter.  This makes it less complex(!) as well as
less arduous to keep in memory, not to mention less work.

Years ago, on an SS2, I measured ipf's impact in terms of us per rule,
per packet.  4us/r/p (which includes time spent decoding input), with
no rules using "quick".  Or at least that's what I think the results
indicate :-)  It's probably much longer than that now, though, and
doesn't include overhead from things like "keep state", etc.

Darren