FreeBSD for ALG?

szocske · Sep 19, 2009

Hi there!

I am looking for a platform to implement an externally controlled firewall.
The resulting firewall is to block all packets, except for the dynamically configured "pinholes" (or flows, or connections, ...) identified by incoming interface, source and destination IP addresses and TCP ports. It then replaces both IP addresses and ports as configured, and sends the packet out on the configured port. (please note there is no correlation between addresses and interfaces...)

The number of flows (thousands) and the packets per second (~10^5) load are not extraordinary high, but there are dozens of reconfigurations each second (adding and dropping flows).

We currently do this with linux, manipulating the conntrack table directly. It works great - on a single core. We are evaluating alternatives that could scale further on SMP systems.

Is FreeBSD for me? If yes, which firewall option do I use, and how do I access the NAT flow cache, preferably from user space?

Any advice appreciated.

Szocske

honk · Sep 20, 2009

Is there any firewall option for Linux/BSD which is capable of running on multiple cores, today? I played with FreeBSD in combination with pf some months ago and got no more than 130.000pps because pf can't use more than one core...

cheers,
honk

szocske · Sep 22, 2009

Nothing in Linux that I know of (and would suit our needs.)
That's why I am asking here about FreeBSD

phospher · Sep 22, 2009

@szocske

you should check out pfsense.com

honk · Sep 22, 2009

you should check out pfsense.com

which has pf under the hood and therefore runs not on more than one core today

@szocske: I'm interested what you going to achieve. Why do you need "...dozens of reconfigurations each second ..."? Loadbalancing? Censoring the internet?

If you need not more than 10^5 pps, you might go with pf on current hardware, but I'm not aware about the impact of the dynamic reconfiguration. Do you need redundancy also?

phospher · Sep 22, 2009

which has pf under the hood and therefore runs not on more than one core today

i know, pretty obvious in the title ey? "pfsense". i was merely trying to state that it's a good firewall that is very capable except that it only runs on single core.

szocske · Sep 23, 2009

@szocske: I'm interested what you going to achieve. Why do you need "...dozens of reconfigurations each second ..."? Loadbalancing? Censoring the internet? If you need not more than 10^5 pps, you might go with pf on current hardware, but I'm not aware about the impact of the dynamic reconfiguration. Do you need redundancy also?

Thank you all for the attention.

I assure you I do not intend to use FreeBSD for sinister causes

Sorry I can't be too specific, but imagine a central server orchestrating multimedia communication between peers.
To make this application work between otherwise isolated corporate networks, the central server opens pinholes on the firewalls.

From what I have read about PF so far, I need an interface similar to "tables" to something like the "state tables" of NAT. (which I can only query as far as I know.)

And I can't expect too much performance gain from multiple cores.

dennylin93 · Oct 1, 2009

I've never used PF like this before, so I'm not sure if this suits your needs. Try using pfctl() to alter PF on the fly. Use persistent tables to modify IPs and anchors to load and unload rules.