Linux or OpenBSD

classic Classic list List threaded Threaded
49 messages Options
123
Reply | Threaded
Open this post in threaded view
|

Linux or OpenBSD

Rikky Taylor
I was after some general advice. I need to setup a routing firewall with 3
interfaces, moderate traffic and a fair amount of NAT'ing in the rules.



Given identical modern server hardware would I expect a performance difference
between an OpenBSD/PF setup and a Linux/IPTables one?



Rikky

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Brad Tilley-4
Rikky Taylor wrote:

> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
>
>
>
> Given identical modern server hardware would I expect a performance difference
> between an OpenBSD/PF setup and a Linux/IPTables one?
>
>
>
> Rikky


Either will work fine so long as you purchase good NICs and avoid
cutting-edge (untested) hardware. The only things Linux does noticeably
better is:
       
        * Dealing with SMP
        * Dealing with lot's and lot's of RAM
        * Dealing with huge file-systems

None of those things are needed for simple firewalls.

Brad

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Kevin Wilcox
In reply to this post by Rikky Taylor
On 22 September 2010 15:29, Rikky Taylor <[hidden email]> wrote:

> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.

Define a "fair amount of NAT'ing". Twenty machines in one class C,
multiple class B networks filled to capacity...?

Also, I would define "moderate traffic". To some here, multiple
gigabit links is moderate, to others moderate may be ten workstations
as general web/email clients.

> Given identical modern server hardware would I expect a performance difference
> between an OpenBSD/PF setup and a Linux/IPTables one?

Again, it depends on the number of clients, the hardware being used,
type of traffic, Linux distribution (Debian or Gentoo will typically
yield better performance out-of-the-box than RHEL, Ubuntu, CentOS,
etc) and various other factors.

Basically, more information is needed for an informed decision but the
answer will almost certainly be yes, you'll see a performance
difference and it will be in favour of OpenBSD + pf.

kmw

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

roberth-5
In reply to this post by Rikky Taylor
On Wed, 22 Sep 2010 19:29:31 +0000
Rikky Taylor <[hidden email]> wrote:

> I was after some general advice. I need to setup a routing firewall
> with 3 interfaces, moderate traffic and a fair amount of NAT'ing in
> the rules.
>
>
>
> Given identical modern server hardware would I expect a performance
> difference between an OpenBSD/PF setup and a Linux/IPTables one?
>
>
>
> Rikky


You are considering iptables... So you like to be hurting a lot.
Go for it, nothing wrong with that , don't let anybody elses reasoning
get into the way of fullfilling your fantasies.
Seriously, why would you want to to give someone the impression that
the gateway/firewall just works, ... use iptables if you want to keep
your job; Think of your children.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Mentesan
In reply to this post by Rikky Taylor
Hi Rikky,

What I can say to you, as a former Linux user (as firewalls) is:

"Iptables is ok, until you know PF, after knowing PF you'll never use
Linux, at least for firewalls, anymore".

That's is my experience on this subject.

Fabio Almeida

Em Qua, 2010-09-22 C s 19:29 +0000, Rikky Taylor escreveu:

> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
>
>
>
> Given identical modern server hardware would I expect a performance difference
> between an OpenBSD/PF setup and a Linux/IPTables one?
>
>
>
> Rikky

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Luis F Urrea
On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida <[hidden email]> wrote:

> "Iptables is ok, until you know PF, after knowing PF you'll never use
> Linux, at least for firewalls, anymore".
>
> +1

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Nenhum_de_Nos-2
On Wed, September 22, 2010 18:56, Luis F Urrea wrote:
> On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida <[hidden email]> wrote:
>
>> "Iptables is ok, until you know PF, after knowing PF you'll never use
>> Linux, at least for firewalls, anymore".
>>
>> +1

+1

matheus

--
We will call you cygnus,
The God of balance you shall be

A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?

http://en.wikipedia.org/wiki/Posting_style

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Jussi Peltola
On Wed, Sep 22, 2010 at 08:39:36PM -0300, Nenhum_de_Nos wrote:

> On Wed, September 22, 2010 18:56, Luis F Urrea wrote:
> > On Wed, Sep 22, 2010 at 4:11 PM, Fabio Almeida <[hidden email]> wrote:
> >
> >> "Iptables is ok, until you know PF, after knowing PF you'll never use
> >> Linux, at least for firewalls, anymore".
> >>
> >> +1
>
> +1
>
> matheus
>
> --
> We will call you cygnus,
> The God of balance you shall be
>
> A: Because it messes up the order in which people normally read text.
> Q: Why is top-posting such a bad thing?
>
> http://en.wikipedia.org/wiki/Posting_style
>

Perhaps you should stop spamming before lecturing others about top
posting.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Christopher Dukes
In reply to this post by Rikky Taylor
On Wed, 2010-09-22 at 19:29 +0000, Rikky Taylor wrote:
> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
Sorry, that's just too vague to have any meaning.
Come back with a topology and numbers for traffic and subnets.
>
>
>
> Given identical modern server hardware would I expect a performance difference
> between an OpenBSD/PF setup and a Linux/IPTables one?

You're zeroing in on the wrong metric.
Better metrics are "How hard is it to read my ruleset?"
"How many nasty side effects can I expect while reloading a tweak of my
ruleset?" "What's the signal to noise ratio when I ask for help fixing
my rule set?"

I think the following from Rusty Russell does an excellent summary

http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

R0me0 ***
I know U, rsss
I wrote several rules with netfilter for a long time
until this friend said to me about OpenBSD/PF
Now i forget how write rules with netfilter
Sincerely . I say
PF in Vein !

Regargs

Spawn


2010/9/22 Chris Dukes <[hidden email]>

> On Wed, 2010-09-22 at 19:29 +0000, Rikky Taylor wrote:
> > I was after some general advice. I need to setup a routing firewall with
> 3
> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
> Sorry, that's just too vague to have any meaning.
> Come back with a topology and numbers for traffic and subnets.
> >
> >
> >
> > Given identical modern server hardware would I expect a performance
> difference
> > between an OpenBSD/PF setup and a Linux/IPTables one?
>
> You're zeroing in on the wrong metric.
> Better metrics are "How hard is it to read my ruleset?"
> "How many nasty side effects can I expect while reloading a tweak of my
> ruleset?" "What's the signal to noise ratio when I ask for help fixing
> my rule set?"
>
> I think the following from Rusty Russell does an excellent summary
>
> http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Kevin Chadwick-2
In reply to this post by Brad Tilley-4
On Wed, 22 Sep 2010 15:47:02 -0400
Brad Tilley <[hidden email]> wrote:

> Rikky Taylor wrote:
> > I was after some general advice. I need to setup a routing firewall with 3
> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
> >
> >
> >
> > Given identical modern server hardware would I expect a performance difference
> > between an OpenBSD/PF setup and a Linux/IPTables one?
> >
> >
> >
> > Rikky
>
>
> Either will work fine so long as you purchase good NICs and avoid
> cutting-edge (untested) hardware. The only things Linux does noticeably
> better is:
>
> * Dealing with SMP
> * Dealing with lot's and lot's of RAM
> * Dealing with huge file-systems
>
> None of those things are needed for simple firewalls.
>
> Brad
>
And PF will filter more packets on slower, quieter hardware, whilst
using less electricity. SMP is not needed for a pure firewall because
your nic should be the bottleneck b4 the cpu.

It also wipes your ass by optimising the ruleset which will be smaller
 and so fater to start with anyway and fixing up windows non random
 network port usage, preventing hijacks. It's also much quicker to use
 and more intuitive. Do you trust something that mangles your packets?,
 only joking.

iptables has many options and you may find something in there you like
but a lot of it borders on useless and so you'll spend less time
getting what you want done. PF does a lot of cool stuff that you may
not even realise is happening, like hiding the number of machines due
to timestamp randomisation. You can always use both but I'd always put
in PF first. Plus the host running PF is far more secure. I replaced
ipcop with OpenBSD. It's a no brainer, as google will tell you.

F.Y.I.
I believe PF still? performs better on i386 than it does on amd64.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Peter Nicolai Mathias Hansteen
In reply to this post by Christopher Dukes
Chris Dukes <[hidden email]> writes:

> Better metrics are "How hard is it to read my ruleset?"
> "How many nasty side effects can I expect while reloading a tweak of my
> ruleset?" "What's the signal to noise ratio when I ask for help fixing
> my rule set?"

Certainly both the first and for the second one, there's an angle that
iptables users tend to forget or gloss over: With iptables you
actually risk running into weird side effects since your rule set load
is a shell script that loads rules incrementally and you can never
really be sure what's what unless the first action in your loading
script is to flush all existing rules, which of course runs a risk of
both killing connections and leaving your network wide open until your
block rules are in place.

> I think the following from Rusty Russell does an excellent summary
>
> http://ozlabs.org/~rusty/index.cgi/tech/2006-08-15.html

Yes, it's one of the better summaries by a Linux person, actually a
quite sane one.  But note the date, a lot has happened on the PF side
of the fence since then, not least performance-wise.

- P
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/
"Remember to set the evil bit on all malicious network traffic"
delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Rikky Taylor
In reply to this post by Rikky Taylor
> F.Y.I.
> I believe PF still? performs better on i386 than it does on amd64.

So if i have a Sun X4100 should I install the i386 version of OpenBSD or
should I get different hardware for a firewall?

Isnt pretty much all hardware 64bit capable these days?

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Stuart Henderson
On 2010-09-23, Rikky Taylor <[hidden email]> wrote:
>> F.Y.I.
>> I believe PF still? performs better on i386 than it does on amd64.
>
> So if i have a Sun X4100 should I install the i386 version of OpenBSD or
> should I get different hardware for a firewall?

"performs better" depends on how you rate performance. Some people will
consider raw forwarding speed. Others will consider number of states.
I suspect i386 is better for one of these and certainly amd64 is for the
other.

If you run close enough to the limits that it makes a real difference,
you should be testing both for yourself.

> Isnt pretty much all hardware 64bit capable these days?

No, there's a *lot* of hardware running on arm/mips processors which aren't.
Granted not a lot of it is currently running OpenBSD, but still.
If you're just talking about current-production x86-compatible hardware,
a lot is 64-bit capable, but there are still e.g. geodes, older VIA designs
etc, which are still quite widely used and 32-bit only.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Henning Brauer
In reply to this post by Rikky Taylor
* Rikky Taylor <[hidden email]> [2010-09-23 20:52]:
> Isnt pretty much all hardware 64bit capable these days?

"capable" doesn't imply "better".

--
Henning Brauer, [hidden email], [hidden email]
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Ross Cameron-3
In reply to this post by Rikky Taylor
Depends what you want to do exactly I suppose...

Personally I use Linux based firewalls for many of my sites purely because
the clients in question want deep packet inspection (aka OSI layer 7
filtering) done on the network traffic.
    But that said they are always the second skin firewalls, sitting behind
PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen
filter inbound traffic.

Thats just my 5c worth and I've always been of the opinion that at least two
different skins of firewalls should be deployed, build ontop of different
technologies.
    Makes life a lot harder for whomever you want to keep out.




"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
    Thomas Alva Edison
    Inventor of 1093 patents, including:
        The light bulb, phonogram and motion pictures.



On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor <[hidden email]>wrote:

> I was after some general advice. I need to setup a routing firewall with 3
> interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
>
>
>
> Given identical modern server hardware would I expect a performance
> difference
> between an OpenBSD/PF setup and a Linux/IPTables one?
>
>
>
> Rikky

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

R0me0 ***
You can to filter layer 7 with snort

By example, detect bittorrent and p2p traffic with snort and drop it

2010/9/24 Ross Cameron <[hidden email]>

> Depends what you want to do exactly I suppose...
>
> Personally I use Linux based firewalls for many of my sites purely because
> the clients in question want deep packet inspection (aka OSI layer 7
> filtering) done on the network traffic.
>    But that said they are always the second skin firewalls, sitting behind
> PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen
> filter inbound traffic.
>
> Thats just my 5c worth and I've always been of the opinion that at least
> two
> different skins of firewalls should be deployed, build ontop of different
> technologies.
>    Makes life a lot harder for whomever you want to keep out.
>
>
>
>
> "Opportunity is most often missed by people because it is dressed in
> overalls and looks like work."
>    Thomas Alva Edison
>    Inventor of 1093 patents, including:
>        The light bulb, phonogram and motion pictures.
>
>
>
> On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor <[hidden email]
> >wrote:
>
> > I was after some general advice. I need to setup a routing firewall with
> 3
> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
> >
> >
> >
> > Given identical modern server hardware would I expect a performance
> > difference
> > between an OpenBSD/PF setup and a Linux/IPTables one?
> >
> >
> >
> > Rikky

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Ross Cameron-3
Indeed, I never said that you CANT do it on OpenBSD,... I just mentioned how
I do it...

That said though the snort+PF combo though is two tools to do the job where
I only need on in the wee Linux distro that I (roll myself) use for
firewalls.




"Opportunity is most often missed by people because it is dressed in
overalls and looks like work."
    Thomas Alva Edison
    Inventor of 1093 patents, including:
        The light bulb, phonogram and motion pictures.



On Fri, Sep 24, 2010 at 9:51 PM, R0me0 *** <[hidden email]> wrote:

> You can to filter layer 7 with snort
>
> By example, detect bittorrent and p2p traffic with snort and drop it
>
> 2010/9/24 Ross Cameron <[hidden email]>
>
> Depends what you want to do exactly I suppose...
>>
>> Personally I use Linux based firewalls for many of my sites purely because
>> the clients in question want deep packet inspection (aka OSI layer 7
>> filtering) done on the network traffic.
>>    But that said they are always the second skin firewalls, sitting behind
>> PF firewalls, filtering outbound traffic while the OpenBSD/FreeBSD boxen
>> filter inbound traffic.
>>
>> Thats just my 5c worth and I've always been of the opinion that at least
>> two
>> different skins of firewalls should be deployed, build ontop of different
>> technologies.
>>    Makes life a lot harder for whomever you want to keep out.
>>
>>
>>
>>
>> "Opportunity is most often missed by people because it is dressed in
>> overalls and looks like work."
>>    Thomas Alva Edison
>>    Inventor of 1093 patents, including:
>>        The light bulb, phonogram and motion pictures.
>>
>>
>>
>> On Wed, Sep 22, 2010 at 9:29 PM, Rikky Taylor <[hidden email]
>> >wrote:
>>
>> > I was after some general advice. I need to setup a routing firewall with
>> 3
>> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
>> >
>> >
>> >
>> > Given identical modern server hardware would I expect a performance
>> > difference
>> > between an OpenBSD/PF setup and a Linux/IPTables one?
>> >
>> >
>> >
>> > Rikky

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Kevin Chadwick-2
In reply to this post by Ross Cameron-3
On Fri, 24 Sep 2010 20:32:27 +0200
Ross Cameron <[hidden email]> wrote:

>
> Thats just my 5c worth and I've always been of the opinion that at least two
> different skins of firewalls should be deployed, build ontop of different
> technologies.
>     Makes life a lot harder for whomever you want to keep out.
>

That's a sound and valid argument. I've even read something said to be
by theo which suggested similar, showing his openness.

There is however a counter argument which is also valid in that you may
be adding a less secure stepping stone that has access to all your
traffic therefore making an attackers job easier. The famous saying a
networks is only as secure as it's weakest point could also be phrased
weakest points.

Of course, the fact your Linux is specially rolled would likely make it
less of a weak point and I'm not knocking your setup but felt it
important to make the point.

Obviously layer 7 filtering, tcpdump and snort packet parsing also
reduce your firewalls security too and should be well
placed/controlled/isolated in respect to your time and
planning/processes/budget/endpoints.

Reply | Threaded
Open this post in threaded view
|

Re: Linux or OpenBSD

Kevin Chadwick-2
On Sun, 26 Sep 2010 20:53:57 +0100
Kevin Chadwick <[hidden email]> wrote:

> On Fri, 24 Sep 2010 20:32:27 +0200
> Ross Cameron <[hidden email]> wrote:
>
> >
> > Thats just my 5c worth and I've always been of the opinion that at least two
> > different skins of firewalls should be deployed, build ontop of different
> > technologies.
> >     Makes life a lot harder for whomever you want to keep out.
> >
>
> That's a sound and valid argument. I've even read something said to be
> by theo which suggested similar, showing his openness.

It's occured to me that I think what Theo suggested was actually about
using more than one architecture, which may be a better method over
Linux.

123