On 10/4/06, Tommaso Di Donato <[EMAIL PROTECTED]> wrote:
On 10/4/06, Rainer Duffner <[EMAIL PROTECTED]> wrote:
> At least in this respect, pfSense is still a clear packet-filter only ;-)
> And ideally, it should stay this way while analyzing packet-content
> should occur elsewhere (because it also needs much more CPU-power).
Sorry, but I do not agree totally with you: the thing I love with pfSense is
that it is possible to install it everywhere, so it could be a _real_
competitor to enterprise products (like Cisco ASA). So, I think that
CPU-power should not be a limit.
We have a serious disadvantage against hardware firewalls. Where they
can crank out ASICs tuned to specific needs (which comes with a
disadvantage we don't have...flexibility), we're stuck with general
purpose CPU's which aren't necessarily fast. Thankfully, encryption
boards supported by FreeBSD aren't terribly difficult to come by, but
there's other code paths that could be sped up considerably by
hardware optimized for it.
Let us also not forget that CPU's aren't getting faster, they're
scaling wider (in fact, I think most gamers would confirm that dual
core procs don't necessarily speed up their games). FreeBSD doesn't
multi-thread routing. The fastest proc today will be no faster than
the fastest proc next year (unless AMD comes through with it's inverse
SMP plans - presenting multiple cores as a single core to the OS).
Also, interrupts are a KILLER on x86 hardware - FreeBSD w/ polling is
better at this than OpenBSD (although I haven't personally benched
this yet), but it's not free and theres still a limit.
--Bill
