There are some google references that point to installations, where pf is doing 600-700Mbit/s. You will need good motherboard, decent CPU (two or four CPUs won't help much if machine will do only firewalling) and of course fastest NICs on fastest bus You can get, with TX/RX checksums offloading etc.
I was thinking along the lines of either a Xeon or Opteron board with a couple Intel Pro/1000 XF cards.
But...do You *really* need 1Gbit/s performance? I doubt, because:
I'm looking to take some filtering load off of our routers for a particularly DDoS-prone service.
...if You think about filtering unwanted traffic (DDoS) from Internet, do You happen to have 1Gbit/s ISP link? I think not. Even if, I would go for close cooperation with Your ISP and implement some kind of coordinated BGP sink-hole router, with help of zebra/quagga-running machines. It should be less resource-intensive. Look at:
Actually, we have just over 5Gbit of aggregate bandwidth, soon to be 10Gbit. This service frequently attracts attacks in excess of 500mbit. Response time on a BGP blackhole server solution is too slow.
ben.
