On May 23, 2014, at 5:11 PM, Peter Wemm <peter@wemm.org> wrote: > On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: >> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable@ziemba.us> w= rote: >> = >>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >>> = >>>> Ultimately, outside configuration differences all firewalls are essent= ially >>>> serve the same purpose but I wonder what is your favorite and why? If >>>> you were to run FreeBSD in production, which of the three would you >>>> choose? IPFilter, PF or IPFW? >>> I switched to pf about seven months ago as I began to need to >>> manage bandwidth for specific classes of traffic (for example, >>> prevent outbound mailing list email from saturating the link >>> and reserve some bandwidth for interactive use). >>> = >>> The syntax is very close and the NAT configuration is simpler in pf. >> Does the pfsync handle NAT tables. >> Could I use it to build a resilient carrier grade NAT solution? >> = > = > Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org clus= ter, we do use it on certain ipv6+rfc1918 machines and it does handle failo= ver / recovery transparently. We use it with carp. > = > Be aware that things can get a little twitchy if your switches have an ex= tended link-up periods. Our Juniper EX switches and ethernet interfaces hav= e a significant delay between 'ifconfig up' and link established. This req= uired some tweaks on the freebsd.org cluster but nothing unmanageable. We = probably should boot them into a hold-down state while things stabilize and= but we've taken the quick way out rather than doing it the ideal way. Off-topic, but it sounds like you need the Juniper equivalent of the Cisco = =93spanning-tree portfast=94 command on your switch interfaces that connect= to end hosts. The pause you see is part of STP where the switch port sits= in learning mode from 5 to 30 seconds before going to forwarding mode. Th= is is important for inter-switch links, but not at all needed when you know= a port is only going to have a host plugged into it. Charles > = > -Peter > = > _______________________________________________ > freebsd-stable@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"