Should we upgrade for PF performance?

thegadgetman

thegadgetman

Hello all. I have been doing a lot of research on PF and reading. Once thing I am seeing is that in my readings PF experts say there is a "noticeable performance increase" on 4.4 and above. Currently we are using FreeBSD 6.1 which has 4.1 version of PF. Is it worth it to switch to a newer version of PF mainly for the performance increases or it not that big a deal?

  1. Reference: http://nostarch.com/pf2.htm
    Location: NEWER PF RELEASES PERFORM BETTER - Page 5
  2. Reference: http://home.nuug.no/~peter/pf/en/long-firewall.html
    Location: Search "making each release from 4.4 through 5.0 perform better than its predecessors"
Thank you!
 
FreeBSD 6.1 is seriously end-of-life (almost four years!), so it is not supported, and it doesn't receive critical security updates. You are advised to upgrade to a supported version, which will give increased performance overall anyway.
 
Sounds like some good reasons to move to a new OS version. I brought that up today and it wasn't really enough for the people at my coop workplace to upgrade right now and asked to come back with some more specific reasons. The one thing that did stand out to my boss was no more security updates. Then the they said were using a FreeBSD appliance with a small kernel and not many utilities AKA less vulnerable. I really want to convince them to upgrade just for PF performance and should expand on that myself and try and convince them. Thanks for your response.
 
Regarding performance issues, this is not something that can be answered properly without knowing your environment and needs. If you are just looking for a better throughput then yes you might achieve that considering the improvements in the filtering engine.

Running a firewall on a EOL & EOS OS though is a much better argument IMHO unless you are somehow able to keep up and adjust OS patching on an unsupported version with your own development team. Don't forget that FreeBSD is not just a kernel based OS therefore no matter how you strip down the kernel you still have to deal with the binaries that are part of the base OS.

Regards,
 
Pretty much what they said. EOL firewall = bad idea.

However, whether or not it is "worth it" from a performance perspective would depend on whether or not you are seeing performance problems at the moment?
 
"Running a firewall on a EOL & EOS OS though is a much better argument IMHO unless you are somehow able to keep up and adjust OS patching on an unsupported version with your own development team. Don't forget that FreeBSD is not just a kernel based OS therefore no matter how you strip down the kernel you still have to deal with the binaries that are part of the base OS." - gkontos

This is a great point of view gkontos. I will definitely use this as a good reason to upgrade at our next meeting. Everyone who responded to this post has made the same claims about the security aspect, I see now how in my case this is more of an issue than performance.

To answer your questions there is no performance issues. The performance question was due to my reading and learning of PF about newer versions (4.4+) being faster/better and if they actually made noticeable difference but since we don't really have any latency issues I can't see how it will help.

You can call this a case closed thanks for the help everyone.
 
You must log in or register to reply here.
Back
Top