Other people filter at close, or better than a gig with multiple NICs. With GigE NICs you are generally talking quality, and with quality NICs you get lots of freebie stuff - checksum generation, decent buffer sizes, efficient bus use etc. They know that their customers don't want cheap, they want fast - they don't want the backups to impact the customer experience for 2 hours, just for a measly extra $50. Recommendations: - Intel or other 'quality' manu. - dedicated 66mhz bus, if possible.
CPU speed has little impact, though the little time that the frame is actually inside OpenBSD will be halved by doubling the clock speed. The thing is, PF is designed so that's not a large proportion of the time - if the NIC is any good. A search for "pf gigE Henning" is likely to bring up some interesting stuff. e.g. http://www.benzedrine.cx/pf/msg03147.html that has figs like: > No firewall: 939 Mbits/sec throughput > Firewall: 785 Mbits/sec throughput But this 'problem' (17% PF slowdown) has plenty of possible solutions, including changing both NICs to Intel, using the device polling patch, etc. As so many factors count, it's prob best to get a test/loan box and then see what vmstat says while it's busy. Dom PS. "particularly DDoS-prone service" == online gambling ? - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Dom De Vitto Tel. 07855 805 271 http://www.devitto.com mailto:[EMAIL PROTECTED] - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of ben Sent: Tuesday, December 16, 2003 5:38 PM To: [EMAIL PROTECTED] Subject: best hardware for pf Hi, Anyone have experience with filtering at close to 1Gbit using pf? What would end up being the limiting factor in such a system? CPU, bus bandwidth or maybe something else? I'm looking to take some filtering load off of our routers for a particularly DDoS-prone service. Thanks, ben.
