High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections.  The default is 10,000 states.  If your firewall machine

is this state-table a hash table or something similar. if so - making it much bigger than CPU cache may actually slow down things because DRAM access latency is huge on modern machines.

On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.

i already learned well locking myself after making mistake in ipfw rules

now i run screen and do something like that

cd /etc
cp firewall firewall.old
cp firewall firewall.new
<edit> firewall.new
cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old 
firewall;/etc/rc.d/ipfw restart

then i have 100 seconds to quickly test new rules, at least to make sure i'm not locked.
freebsd-questions@freebsd.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to