[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf vs ASIC firewalls
Re: pf vs ASIC firewalls
Danshtr <[email protected]>
Henning Brauer <[email protected]>
Thu, 17 Mar 2005 14:30:00 +0200
pf <[email protected]>
a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:reply-to:to:subject:cc:in-reply-to:mime-version:content-type:content-transfer-encoding:references; b=lRcSQ95+HaFTAPgD9Lkwc0WoH4uVljQUJhl1WVYa38Gv9Se67DJuC7Z9YyyPr77Js3tP5EJvWJOLSYhg2/0w0iEPhOqWq984FpPsCJd8UBmHGZOAamw/FfqwpbRGESMS20EPJdMb+sQt6SC569+/oNXF1AMojm7hL7XEShehcCk=
I was asking this in MISC but recieved no answers:
was just wondering if OBSD is doing routing+filtering in a single
So I read in "Implementing TCP/IP" that in the BSD the ethernet
interrupt handler is using schednetint. schednetint is using softintr
The only assembly I know in PC is the 8086.
So does softisr generated context switch?
(The reason I ask it was because i read "Inside cisco IOS about fast
switching. They describe it as a method to route in a single
interrupt. Since i dont have cisco code, I wanted to learn how other
OS doing that. The "tcp/ip implementation" is about BSD, so i post my
On Thu, 17 Mar 2005 12:37:01 +0100, Henning Brauer <[email protected]> wrote:
> * Jim Fron <[email protected]> [2005-03-17 08:46]:
> > On Mar 14, 2005, at 2:26 PM, Mike Frantzen wrote:
> > >>Could Someone please tell me the advantages of PF against Firewalls
> > >>using the ASIC technology in terms of Security and perfomance??
> > >Many (most? all?) vendors shipping what they call ASIC firewalls are
> > >actually running software on a network processor (NPU). The benefit is
> > >that most NPUs will process packets in real-time so if they claim to
> > >support X gigabit per second then they can probably sustain that even
> > >with minimum sized 64byte ethernet frames;
> > You think? I've been a bit curious about this, especially in the
> > low-end ("cheap") consumer-grade hardware.
> Mike was obviously not talking about low-end stuff.
> well, this entire thread is not about low-end shitz
> > I have no idea if the BSD's--or any general-purpose host OS, for that
> > matter--will, for example, prevent logging to disk during bursts of
> > traffic. Perhaps there's a kernel option for priority of servicing
> > i/o.
> (almost all of the) logging happens in userland
> > All of that said, I wonder if there isn't some way to implement
> > something vaguely PF-ish in an FPGA that would allow more control over
> > the rulesets than an off-the-shelf ASIC.
> there likely is...
> I mean, state table and state table lookups in hardware, hand off
> ruleset processing to the main CPU, that would rock. If done right.
> Henning Brauer, BS Web Services, http://bsws.de
> [email protected] - [email protected]
> Unix is very simple, but it takes a genius to understand the simplicity.
> (Dennis Ritchie)