Re: Just how fast is pf?

Bonus! Well, that is good news and brings a smile to my face. As i have
said before on this list, just love working with pf!
Thanks for the links, I am going to look into that on Monday at work.
Mind me asking what type of machine you are running?
 --- Sean <[email protected]> wrote: 
> A wrote:
> > Now, I know this question gets asked a lot by newbs but I have a
> > commercial reason for asking. Just how many connections can a high
> spec
> > PC with OBSD and pf handle from a filtering perspective?
> > 
> > The company I work for is currently working on an online game that
> will
> > potentially have +100,000 concurrent users. We are looking at
> different
> > firewalls to help on the security side of things. A rather complex
> > cluster of different machines will manage these connections but, I
> am
> > wondering if OBSD would be able to sit in front of this cluster and
> act
> > as a border firewall. The ruleset itself would be very simple
> > (basically it would block everything except for a small number of
> known
> > UDP ports then "keep state").
> > 
> > Would a single machine be able to handle that type of load? What
> sort
> > of CPU+RAM+NIC would be required? Alternatively, if a single
> machine
> > wouldn't cut the mustard, could an array of firewall be setup?
> > 
> pf is plenty fast. we use a single pf firewall to filter 650+
> hits/second or about 30 MB/s of sustained traffic. The pf box doesn't
> even break the slightest sweat. Others here run intense setups
> without
> problem, too.
> What's most important is good NIC cards (buffering and interrupt
> generation for example) and RAM to hold states. Check out the pf FAQ:
> http://openbsd.org/faq/pf/perf.html
> Mike Frantzen posted a way to calculate the maximum number of states
> you
> have memory for (at least with 3.5, not sure if this is still true):
> http://marc.theaimsgroup.com/?l=openbsd-pf&m=108576335204963&w=2
> cheers,
> Sean
