On 16:26, Wed 10 Feb 10, Jacob Yocom-Piatt wrote: > Mike Williams wrote: > >Really, nobody firewalls at multi-Gbps? > > > > > anybody who does firewall at high bandwidth / pps is unlikely to > provide this information freely. also note that you've not made an > effort to do any tests and share them, so it is not surprising that > others are not sharing data with you.
It's not that we dont want to, but we dont have time to guess what the OP wants, formulate an answer, just to find out the OP wants somethnig totally different. > > i have found that openbsd mailing lists are not good places to post > 'i want to do this' sort of stuff and expect a reply, especially on > a topic that requires pretty specialized and likely valuable > knowledge. if you try something out, it doesn't work how you want > and you want assistance getting it to work you will likely get more > feedback. Indeed. Clear questions showing you did your homework have the highest probability to get answers/tips/hints. > > > >Or have I contravened some convention, in my questions, or wording? > > > >On Friday 22 January 2010 23:55:45 Mike Williams wrote: > >>I missed two bits of information... > >>Routing. With only one upstream routing device these would only have one > >>route, maybe two (internet, and internal). > >>A bit of mental gymnastics, ok a calculator, gives something like 400 Kpps. > >>Which, if my assumptions on packet sizes is right, isn't mind numbingly > >> scary. > >> > >>On Friday 22 January 2010 20:12:29 Mike Williams wrote: > >>>Hey all, > >>> > >>>I was hoping there are some heavy PF users here, who wouldn't mind > >>>sharing some of their experiences? > >>>So I've watched Hennings talk about PF performance, read the PDF, but I > >>>haven't actually seen anyone saying they can, and do, PF at 10Gbps. > >>>Can it? > >>>If so, what actual hardware can? Or more precisely, what hardware could > >>>sustain our expected usage? > >>> > >>> > >>>We've got a big project in it's earliest stages which would require very > >>> basic firewalling at multi-gigabit-per-second. Probably in the region of > >>> 3Gbps (yes yes, PPS is the real killer), with peaks for software > >>>releases much higher. No NAT, just routing (bgpd/ospfd), and simple > >>>limits on what ports are available. I can't imagine needing more than > >>>200-300 rules. I'm actually a Linux guy, and I'm pretty confident that > >>>netfilter simply won't keep up, and while we've not personally used > >>>OpenBSD in "anger" yet, there is plenty of time to get acquainted. > >>> > >>>So, at the edges I'm imagining a large hardware router, handing off to > >>> OpenBSD to sub-route, VLAN, PF, to the actual servers, and then a few > >>>10s of Mbps of IPSec stuff back to base. > >>>The traffic patterns expected are very approximately: > >>>5Mbps DNS > >>>30Mbps of HTTP requests that elicit a sub-500byte response. 200,000,000 > >>> hits per day. > >>>300Mbps of "normal" HTTP. > >>>2-3Gbps of several hundred KB, to many-MB, files over HTTP. > >>>20Mbps of "stuff" over IPSec. syslog, ssh, snmp, etc. > >>> > >>>Nearer the core will have much more complex PF rules, but only on a few > >>>hundred Mbps, so easy for modest hardware. > >>> > >>> > >>>Thanks > -- Michiel van Baak mich...@vanbaak.eu http://michiel.vanbaak.eu GnuPG key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x71C946BD "Why is it drug addicts and computer aficionados are both called users?"
