On Monday 22 November 2004 19:29, Pawel Malachowski wrote: > I'm interested in opinions/comparisons how ipnat and pf perform > on FreeBSD 5.x in real working large NAT setups (about 50Mbit/s, few > thousands of workstations, 300k of mappings or more). Problems noticed, > memory and CPU consumption, mbufs utilization etc.
While the state information in pf is slightly larger than that of ipfilter (and thus the memory consumption). pf offers many functionalities that make it the "easier-to-manage" tool. There are also a couple of optimizations in pf that should make it perform better, but only measuring your specific application can tell you which is the better for you. I'd guess that pf can lift the load described above with an average workstation (good NICs and plenty of RAM provided). Note, however, that for CPU consumption packets per second is the important factor. For pf - with it's stateful inspection - connection initialization has some meaning as well (once established, passing more traffic through a connection is cheap). Depending on your application, you might find pf's TABLES which greatly improve management of large IP-sets. There are also many options to fine-tune the number of concurrent states that a (NAT)rule can create. This helps to keep down memory consumption during DDoS-Attacks. The additional "adaptive timeouts" can also help to manage load peaks. That is comparing pf 3.5 (what is in RELENG_5) with ipfilter 3.x (also in RELENG_5). ipfilter 4.x has gained some, but isn't included in FreeBSD. -- /"\ Best regards, | [EMAIL PROTECTED] \ / Max Laier | ICQ #67774661 X http://pf4freebsd.love2party.net/ | [EMAIL PROTECTED] / \ ASCII Ribbon Campaign | Against HTML Mail and News
pgpt83XUrC7eg.pgp
Description: PGP signature
