> > So, you say that a poorly configured netscreen is no better than a poorly > > configured freebsd+ipfw ... but what about the best possibly configured > > netscreen vs. the best possibly configured freebsd+ipfw ? > > The answer to that particular question depends on what you mean > by "configured". > > Netscreen hs integral load shedding in its stack. > > FreeBSD is actually adding pointers and other complexity to its > stack, to attribute packets with metadata for mandatory access > controls, and for some of the IPSEC and other stuff that Sam > Leffler has been doing. If you have IPSEC compiled into your > kernel at all, each coneection setup for IPv4, and the per > connection overhead for IPv4, is very, very high, because the > IPSEC code allocates a context, even if IPSEC is never invoked, > rather than using a default context.
Except that it's acting as a router, and as such there is no 'setup' except for the one he is using to configure/monitor the firewall via SSH. In essence, a no-op in a dedicated firewall setup. FreeBSD timers used in > the TCP stack to not scale well (this is relative to your point > of view, e.g. they don't scale well to 1,000,000 connections, > but can be tuned to be "OK" for 10,000 connections). Again, you're missing the point. This is a dedicated firewall, not a firewall being used at the point of service. [ The rest of the irrelevant descriptions deleted ] Nate To Unsubscribe: send mail to [EMAIL PROTECTED] with "unsubscribe freebsd-hackers" in the body of the message
