Minimal specs when using FreeBSD purely as a firewall? (pf)

Hi,

In some cases we run small FreeBSD VM's that act as a firewall in front of Windows VM's, using pf with a binat configuration (can't trust the Windows firewall). Right now I'm configuring those FreeBSD VM's with 256MB of memory. I was wondering if someone has any idea what the minimal specs of such a VM could be in order for pf to do its work properly. Let's say we'd like to handle at least 100Mbit of traffic. The CPU from the VMWare host is a Xeon L5640, so no issues there.

Anyone with such experience?

You'll have to experiment. You will also have to figure out how many states you want to handle at any given time, as the state table tends to hog memory as it grows.

You will have to try some option to get the right decision but I think 512MB RAM will do the job for your firewall

I've had FreeBSD 9 running in a virtual machine with 64MB of RAM with no problem. That was without pf(), which might cause problems even if enough memory is provided.

I had no problems running FreeBSD with PF on an old Pentium II machine with 128MB RAM. Mind you it only protected my home network, but it had to shuffle a lot of P2P traffic through it :e

I have my own example, for organization with 10 PC, working P-166mmx + 64Mb + FreeBSD 7.4 + natd + ipfw + mpd5 (for VPN connect to Internet provider). IPFW working as divert packets to natd and deny inbound connections set up to all unneeded ports except 22 (SSH), and redirect port to Win-server RDP in LAN. So I think there is really no problem for any machine from pentium, or amd-k5 machine with 16MB+ RAM.

16GB of RAM, for a notebook is under $100. For a desktop it is cheaper. It's not expensive for servers any more either. What I'm saying is there is no sense being overly stingy these days.

I'd suggest if you give the VM 512 MB to 1 GB of RAM it will be plenty, and speed up any maintenance or other tasks you have the box perform - and have no risk of running out of RAM for firewall state, etc.

Don't forget to leave yourself some RAM for administering/updating the box!

For comparison, my Cisco ASA 5510 originally shipped with 256 MB of RAM. I know it isn't exactly an apples to apples comparison, but presumably Cisco decided that spec was appropriate to handle the workload that box is sized for.


Also: If you have the VMware tools installed in the guest (and you should!), ESX/ESXi will re-claim unused guest memory anyhow via the "balloon" driver. So, I'd recommend not being stingy with the actual RAM size in the VM, and if you need to re-claim RAM do so via a resource allocation commit level in the hypervisor. You can then alter the memory commit level on the fly without needing to reboot the VM, or just leave it for the hypervisor to sort out.

• So - allocate the VM plenty of RAM in VM settings (say, 1 GB?)
• Set the reservation level in the resource allocation tab (in ESX/ESXi/vCenter) as appropriate. This tab will also give you an idea of how much RAM the VM actually has "active", which will help you to set the "reservation" level appropriately.

Doing it this way, if the VM needs more RAM during updates, etc. it will get it. If it doesn't the RAM will be reclaimed elsewhere if needed.

Again, make sure you have the VM tools installed - this will give you far better IO throughput and enable use of the balloon driver to more effectively manage the VM's memory (ESX can make the VM page the memory out that it deems best to page when the host is under memory pressure, rather than ESX just guessing and perhaps getting it wrong).

frijsdijk said:

Hi,

In some cases we run small FreeBSD VM's that act as a firewall in front of Windows VM's, using pf with a binat configuration (can't trust the Windows firewall). Right now I'm configuring those FreeBSD VM's with 256MB of memory. I was wondering if someone has any idea what the minimal specs of such a VM could be in order for pf to do its work properly. Let's say we'd like to handle at least 100Mbit of traffic. The CPU from the VMWare host is a Xeon L5640, so no issues there.

Anyone with such experience?

Click to expand...

It depends on the number of states, not really on the traffic. Here on a machine with 4GB RAM PF eats around 0.7GB RAM (Max Mem 3.93GB, current 3.19GB). That's on OpenBSD with currently 600 Mbit/s and 400000 states. As far I can see, the free memory stays around 3.2GB after a while (the uptime is 148 days).

I think 256MB is not a lot. Anyway I suggest to monitor the memory and the number of PF states with a tool like Cacti.

Regards.