PF with 10Gb/s

[nORKy]

Hi,

Can PF filter (with very simple rules) 10Gb/s? I need to detect DOS/DDOS attacks. I need to analyse this data to find what type of attack is this and apply a rule to filter bad packets. Can PF use all CPU cores? Do you known which firewall (PF, IPFW) is the faster to filter 10Gb/s? Do I need a special NIC? (yes a 10G NIC, but something else?)

Thank you.

 

[Toast]

I don't know much about tuning for 10Gb/s but these seem helpful:

https://calomel.org/freebsd_network_tuning.html
https://wiki.freebsd.org/NetworkPerformanceTuning

 

[lib13]

NetBSD has come up with npf which is said to be multicore. Maybe an option to you, never tried it though.

 

[nORKy]

It's hard to choose and find complete information about *BSD, Linux, PF, IPFW, hardware support/compatibility for 10G, SMP, IRQ CPU affinity ..

 

[plamaiziere]

You can ask the freebsd-net@ mailing list too. There are many recent things in FreeBSD which look very nice (SMP PF, Netmap and so on).

You can check this document: http://bsdrp.net/documentation/technical_docs/performance

As said, on a router/firewall any TCP/UDP optimizations are useless. The important things are the packets rate per second and latency.

Regards.