On 6/6/06, Odette <[EMAIL PROTECTED]> wrote:
Hi all,
I need to substitute our production firewall, and I'd like to use PFsense
which I've already successfully used for home or small office environments.
The solution I'm going to substitute is based on Linux-iptables which requires
more than 1000 rules. I need more than 25 static routes, and 5 VPNs.
Furthermore, in the next future we are migrating 2 of 3 network branches on
Gbit.
I'd like to try with PFsense, but my boss (I'm sure) will kill me in the event
I spend half a week in setting up the new PFsense and writing down all the
rules to see that PFsense is not the right solution.
Seems like the effort falls under research and development. At least
in my shop, that wouldn't be considered a waste of time as it can
vette the existing design (which obviously is considered inadequate),
determine what if any use pfSense has to us, and whether we need to
keep looking. There aren't any free answers - you'll have to take the
time to try out the solution you believe will work for you.
Is there a rules number limit or a session number limit implemented in
PFsense?
Not per se. Do you really have 1000 rules, or are there numerous
duplicates with only source/destination IPs (or ports) changed? You
may be able to shrink that rule base down considerably with pfSense.
The only concern I'd have with the number is the speed of the webGUI -
depending on how many interfaces you have, displaying 1000 rules on a
single screen could be bad (some day I'll have to generate a test bed
that stresses out the webGUI so we can try and improve the speed).
Also, you may or may not want to increase the state table limit which
defaults to 10K state entries. There are 2-3 (depending on NAT) state
table entries for every connection through your firewall. More info
on state table sizes can be found in other threads on this list or the
forum (I've answered this a few times)
Does somebody have some expertize in similar situations?
Can't speak for pfSense in a large install, but the underlying packet
filter engine works like a champ in my commercial installs and those
are couple thousand rule machines (text files for editing...I'm not
relishing converting those machines to pfSense).
--Bill
