Discussion:
iptables vs pf
Edy Purnomo
2005-10-19 22:21:13 UTC
Permalink
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much faster
to respond the http requests (he had a same configuration on openbsd, pf +
squid proxy).

is there any program that can proof what he says ?
thanks.

-edy-
Chris
2005-10-20 00:25:38 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration on
openbsd, pf + squid proxy).
is there any program that can proof what he says ?
thanks.
-edy-
Some users orefer speed over security
*shrug*
--
Best regards,
Chris

Even paranoids have enemies.
Wolfpaw - Dale Corse
2005-10-20 01:07:47 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to
openbsd. he uses
Post by Edy Purnomo
mailnly for internet gateway : pf + squid proxy after 2
weeks later he
Post by Edy Purnomo
switched it back linux and said : linux much faster to respond the
http requests (he had a same configuration on openbsd, pf + squid
proxy).
is there any program that can proof what he says ?
thanks.
-edy-
Some users orefer speed over security
*shrug*
I will put forward and qualify linux being faster as a bunch
of crap - perhaps he is using low grade hardware? In our application
(~ 30mbps of various traffic - you name it, its there.. And lots
of it is web) .. Linux won't even do it. Try to do connection
tracking, or use the limiting modules for iptables, and it dies
At 50,000 states.. I've personally seen ours do in excess of
540,000 states. Linux just runs out of ram and dies.. Its
really horrible as a network firewall (IMNSHO)

Have you tried tcpblast? That would probably give you an
accurate benchmark. I'd still say if the throughput on
BSD is worse, something is incorrectly configured.

And I would have to echo what was already said - it's a firewall..
It is security your after? :)

D.
per engelbrecht
2005-10-20 01:34:03 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration on
openbsd, pf + squid proxy).
is there any program that can proof what he says ?
thanks.
No.

If your friend prefer Linux then fine, but his speed statement is wrong.
(unless he'd misconfigured something due to a lack of knowlegde on
OpenBSD .. or pf .. or squid .. or run unsupported hw .. or ..)

BTW Edy, statements (in particular
tux_userland_mock-up_no_79_glued_on_kernel_no_61_aka_slashdotoftheweek
[heck, it even got its own place on securityfocus.com] vs. OpenBSD)
without anything but the statement, is useless in any respect. In fact
it appear borderline trollish.

If this friend of yours have a problem with a OpenBSD installation, then
tell him to address this list and he will get all the help he need.


/per
Post by Edy Purnomo
-edy-
Han Boetes
2005-10-20 01:47:15 UTC
Permalink
i suggested to my friend to replace his linux box to openbsd. he
uses mailnly for internet gateway : pf + squid proxy after 2
weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration
on openbsd, pf + squid proxy).
If an experienced Linux admin has to admin a production OpenBSD
machine without any experience he is bound to get into trouble
somewhere.

Better advice him to experiment and learn OpenBSD so he knows how
to admin a box before he switches a production server to it.


# Han
Jason Dixon
2005-10-20 02:07:52 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration on
openbsd, pf + squid proxy).
is there any program that can proof what he says ?
thanks.
Three points:

1) No way in hell is iptables faster than PF.

2) His box _may_ pass traffic faster, but this is almost certainly
due to the support level of the hardware. Without real information,
it's hard to qualify this.

3) Who cares? Why are you worried about what your friend uses? If
it works for him, so be it. Rather than trying to bring him over
"cuz PF is l33t", just make sure you mention how cool it is when your
stateful firewalls run 24x7. Oh, and when your 3.8 VPNs failover
statefully, too. :)

http://www.openbsd.org/goals.html


--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net
Roger Neth Jr
2005-10-20 03:43:38 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much faster
to respond the http requests (he had a same configuration on openbsd, pf +
squid proxy).
is there any program that can proof what he says ?
thanks.
-edy-
Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.

Wow! what a difference. My DEC firewall is faster than snot loading up
web pages. It is like I upgraded my ADSL to a faster speed.

Beats my old Linksys router I was using before this.

Thanks OpenBSD and Jeff.

Best regards,

rogern

John 3:16
Andrew Daugherity
2005-10-20 06:02:11 UTC
Permalink
Post by Roger Neth Jr
Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.
I assume you meant the one posted by Peter N. M. Hansteen[1]? I'm not
finding anything by a "Jeff Hansteen" in either the misc or pf mailing
list archives.

It does seem to be a rather useful document.

-Andrew

[1] http://marc.theaimsgroup.com/?l=openbsd-pf&m=112963309005279&w=2
Roger Neth Jr
2005-10-20 14:53:29 UTC
Permalink
On Wed, 19 Oct 2005 20:43:38 -0700
Post by Roger Neth Jr
Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.
can you send me that link, please ?
Thanks
BS
Here you go, enjoy! : )

http://www.bgnett.no/~peter/pf/en/ - full text, html, English
Roger Neth Jr
2005-10-20 15:00:29 UTC
Permalink
hi roger,
i searched in the archives at marc.theaimsgroup.com but didn't find the
thread you mention. du you have a link for me?
TIA,
marc
Post by Roger Neth Jr
Hello, I put OpenBSD 3.8 snapshot on an old DEC 500pws with pf.conf
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.
Wow! what a difference. My DEC firewall is faster than snot loading up
web pages. It is like I upgraded my ADSL to a faster speed.
Beats my old Linksys router I was using before this.
Thanks OpenBSD and Jeff.
Best regards,
rogern
John 3:16
Sorry my bag, it is Peter Hansteen not Jeff Hansteen

rogern
Peter N. M. Hansteen
2005-10-23 05:16:12 UTC
Permalink
Post by Roger Neth Jr
and it was okay on response. Then I redid my pf.conf with the tutorial
by Jeff Hansteen posted a couple of days ago.
It's Peter, not Jeff, but I'm very happy to hear you found the tutorial
useful.
Post by Roger Neth Jr
Wow! what a difference. My DEC firewall is faster than snot loading up
web pages.
PF is fast, with very low overhead, in my experience, and the most
user(admin) friendly firewall I've ever encounter. I'm a bit surprised
you got a noticeable speedup by following the rather basic advice in the
tutorial. Then again, just keeping it all simple may help in that respect.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
Jan Johansson
2005-10-20 07:59:10 UTC
Permalink
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy after 2
weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same
configuration on openbsd, pf + squid proxy).
What I can remeber there is problem that squid picks the number
of "max open files" when compiled. So if your friend compiled
squid as a normal user there might be a bottle neck.

It might also be a DNS problem. Doing bad things with PF can be
quite easy when you are new.

And knowing thoose Linux dudes, maybe his Linux squid is a
loadable kernel module so it will be uber fast, I mean crashing
the machine instead of just squid is not really a problem now is
it?

And then ...

And then ...

I can think of alot of stuff. Do a proper search for the problem
and we can try to help.

Or just let him run Linux, it is what i he wants is it not?
Daniel Ouellet
2005-10-20 09:23:14 UTC
Permalink
I actually was reading a good document on PF tonight and I came across
this quote that I think would answer your question as to the difference
between iptables and pf.

OK, may be it's more poetic, but still I really liked it.

Hope it make you think as well! (:>

And I think it describe it very well if you have played with them!

Daniel

Quote:

Compared to working with iptables, PF is like this haiku:

A breath of fresh air,
floating on white rose petals,
eating strawberries.

Now Im getting carried away:

Hartmeier codes now,
Henning knows not why it fails,
fails only for n00b.

Tables load my lists,
tarpit for the asshole spammer,
death to his mail store.

CARP due to Cisco,
redundant blessed packets,
licensed free for me.

Jason Dixon, on the PF email list, May 20th, 2004
(http://www.benzedrine.cx/pf/msg04702.html)
David Benfell
2005-10-20 13:28:31 UTC
Permalink
Post by Jan Johansson
And knowing thoose Linux dudes, maybe his Linux squid is a
loadable kernel module so it will be uber fast, I mean crashing
the machine instead of just squid is not really a problem now is
it?
Yes, we know the Linux kernel is bloated. But this is hyperbole.
--
David Benfell, LCP
***@parts-unknown.org
---
Resume available at http://www.parts-unknown.org/
Stephan A. Rickauer
2005-10-20 17:20:50 UTC
Permalink
Hi,
Post by Edy Purnomo
i suggested to my friend to replace his linux box to openbsd.
he uses mailnly for internet gateway : pf + squid proxy
after 2 weeks later he switched it back linux and said : linux much
faster to respond the http requests (he had a same configuration on
openbsd, pf + squid proxy).
is there any program that can proof what he says ?
thanks.
I just did extensive tests for an article that will be published in the
German linux-magazine in December (which is also kind of a 'thank you'
from my side to this list and to all openbsd guys).

It compares the 'default' network performance of a gigabit
openbsd/pf/scrub box to a netfilter 2.4 kernel box. For the tests I used
netperf from HP in different szenarios. Without going into detail here,
the overall impression in my setup (!) was that pf is minimally slower
(~ 7%) with TCP bulk transfers (TCP_STREAM/TCP_MAERTS) whereas TCP_RR,
TCP_CC and UDP_RR performance was better with pf/scrub. With an TCP_CRR
(128byte/16kbyte) test, both systems were almost equally fast.

To cut a long story short: For me the difference in performance doesn't
matter - you get a lot more with openbsd/pf in terms of features,
security, ease of administration and robustness.

And consider, this is no theoretic blabla, I just migrated our entire
firewall infrastructure from netfilter to pf ;)

Have fun,
--
Stephan A. Rickauer

----------------------------
Institut f|r Neuroinformatik
Universitdt / ETH Z|rich
Winterthurerstriasse 190
CH-8057 Z|rich

Tel: +41 44 635 30 50
Sek: +41 44 635 30 52
Fax: +41 44 635 30 53

http://www.ini.ethz.ch
----------------------------
Loading...