Re: question about PF performance

[Henning Brauer <lists-openbsd@bsws.de>]

On Sun, Sep 07, 2003 at 01:29:12AM -0600, RJ45 wrote:
> I have to build a firewall machine for a university campus.
> The firewall will be installed behind the core gigabit switch
> which is a Extreeme Black Diamond, and it will be in bridging mode.
> Don't ask me why I don't use the black diamond... I will use OpenBSD
> because of political reaons about the Network campus management that
> is beyond the topic of my question now.
> Anyway I will have this OpenBSD box ( I Was thinking about a 3GHz P4 dell
> power edge), with 2 gigabit interfaces.
> The maximum speed will be 1Gbit/sec.
> What I Want to ask you is if in your opinion OpenBSD can support such
> a peak traffic of 1Gbit/s in bridging mode between its two interfaces
> filtering the traffic ?

depends on the hardware and particularu hardware config. this is less 
aobvious than you think and has been discussed to death previously - 
archives are your friend.
depends on your traffic characteristics even more thanb on the 
hardware.
in short: it's close to unpredictable ;-) but I am pretty sure it will 
just work, or can be made working with soem little ditry tricks.

> With PF I Can filter up to OSI level 4, and I plan to do bandwith
> management also. If I want to filter up to level OSI 7, is there any
> particular application I can use to do that ?
> I know it's very CPU intensive to filter at application level, but if I
> need to do it sometimes, is there any way to do it on OpenBSD?

sure - userland proxies.
the one and only way to do that actually.
several are in ports, ftp-proxie is already in base.

-- 
http://2suck.net/hhwl.html - http://www.bsws.de/
Unix is very simple, but it takes a genius to understand the simplicity.
(Dennis Ritchie)