On Wed, 22 Sep 2010 15:47:02 -0400 Brad Tilley <b...@16systems.com> wrote:
> Rikky Taylor wrote: > > I was after some general advice. I need to setup a routing firewall with 3 > > interfaces, moderate traffic and a fair amount of NAT'ing in the rules. > > > > > > > > Given identical modern server hardware would I expect a performance > > difference > > between an OpenBSD/PF setup and a Linux/IPTables one? > > > > > > > > Rikky > > > Either will work fine so long as you purchase good NICs and avoid > cutting-edge (untested) hardware. The only things Linux does noticeably > better is: > > * Dealing with SMP > * Dealing with lot's and lot's of RAM > * Dealing with huge file-systems > > None of those things are needed for simple firewalls. > > Brad > And PF will filter more packets on slower, quieter hardware, whilst using less electricity. SMP is not needed for a pure firewall because your nic should be the bottleneck b4 the cpu. It also wipes your ass by optimising the ruleset which will be smaller and so fater to start with anyway and fixing up windows non random network port usage, preventing hijacks. It's also much quicker to use and more intuitive. Do you trust something that mangles your packets?, only joking. iptables has many options and you may find something in there you like but a lot of it borders on useless and so you'll spend less time getting what you want done. PF does a lot of cool stuff that you may not even realise is happening, like hiding the number of machines due to timestamp randomisation. You can always use both but I'd always put in PF first. Plus the host running PF is far more secure. I replaced ipcop with OpenBSD. It's a no brainer, as google will tell you. F.Y.I. I believe PF still? performs better on i386 than it does on amd64.