A wrote: > Now, I know this question gets asked a lot by newbs but I have a > commercial reason for asking. Just how many connections can a high spec > PC with OBSD and pf handle from a filtering perspective? > > The company I work for is currently working on an online game that will > potentially have +100,000 concurrent users. We are looking at different > firewalls to help on the security side of things. A rather complex > cluster of different machines will manage these connections but, I am > wondering if OBSD would be able to sit in front of this cluster and act > as a border firewall. The ruleset itself would be very simple > (basically it would block everything except for a small number of known > UDP ports then "keep state"). > > Would a single machine be able to handle that type of load? What sort > of CPU+RAM+NIC would be required? Alternatively, if a single machine > wouldn't cut the mustard, could an array of firewall be setup? >
pf is plenty fast. we use a single pf firewall to filter 650+ hits/second or about 30 MB/s of sustained traffic. The pf box doesn't even break the slightest sweat. Others here run intense setups without problem, too. What's most important is good NIC cards (buffering and interrupt generation for example) and RAM to hold states. Check out the pf FAQ: http://openbsd.org/faq/pf/perf.html Mike Frantzen posted a way to calculate the maximum number of states you have memory for (at least with 3.5, not sure if this is still true): http://marc.theaimsgroup.com/?l=openbsd-pf&m=108576335204963&w=2 cheers, Sean
