[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about PF performance
Quoting RJ45 (firstname.lastname@example.org):
> I have to build a firewall machine for a university campus.
> The firewall will be installed behind the core gigabit switch
> which is a Extreeme Black Diamond, and it will be in bridging mode.
> Don't ask me why I don't use the black diamond... I will use OpenBSD
> because of political reaons about the Network campus management that
> is beyond the topic of my question now.
> Anyway I will have this OpenBSD box ( I Was thinking about a 3GHz P4 dell
> power edge), with 2 gigabit interfaces.
Well, the first thing I might do is, er, test this.
As a univ, I'm confident that a vendor might let you get
such a machine for a week or two for evaluation.
> The maximum speed will be 1Gbit/sec.
Next question: You have a Gigabit connection to the Internet?
I've built a number of firewalls and kept dealing with people
saying that they tested some machine we recommended and it
couldn't do 100mb/s throughput (100baseT was newish) and their
network was 100baseT.
Well yeah, but their internet connection is a T1 so that lets
us use a 486 in a pinch.
If you're connecting to a GB switch, for whatever reason, but all
traffic's going to a T3, then you don't really care if it
can pass GB. You care if it can pass 45mb/s.
> What I Want to ask you is if in your opinion OpenBSD can support such
> a peak traffic of 1Gbit/s in bridging mode between its two interfaces
> filtering the traffic ?
> Then a second question.
> With PF I Can filter up to OSI level 4, and I plan to do bandwith
I'm not running OSI - what's layer 4 in the TCP world? Layer 8 is
politics, I know. 9 is finance, depending on the institute.
> management also. If I want to filter up to level OSI 7, is there any
> particular application I can use to do that ?
Um, in industry terms you mean "application layer?" Like "proxies?"
> I know it's very CPU intensive to filter at application level, but if I
> need to do it sometimes, is there any way to do it on OpenBSD?
It depends on the App. We did lots of web proxying. It killed machines.
So we did it on 3 (round robin DNS) INSIDE the firewall and the firewall
just made like a router.
proxy ssh? Bad idea. proxy ftp? Sure. You likely have other things
in mind. It makes a difference what they are.
Internal proxies and DMZ proxies are common.