High load may or may not be a problem depending on your traffic patterns.
I've seen pf firewalls suffer by running out of state-table space in
situations where there are a lot of fairly short-lived but low volume
network connections. The default is 10,000 states. If your firewall machine
is this state-table a hash table or something similar. if so - making it
much bigger than CPU cache may actually slow down things because DRAM
access latency is huge on modern machines.
On the whole I'd go with pf every time simply based on how much more
manageable it is compared to ipfw -- you have to try, hard, to lock
yourself out when reloading a new pf ruleset.
i already learned well locking myself after making mistake in ipfw rules
now i run screen and do something like that
cp firewall firewall.old
cp firewall firewall.new
cp firewall.new firewall;/etc/rc.d/ipfw restart;sleep 100;cp firewall.old
then i have 100 seconds to quickly test new rules, at least to make sure
i'm not locked.
firstname.lastname@example.org mailing list
To unsubscribe, send any mail to "[EMAIL PROTECTED]"