On 5/23/14, 11:12 PM, Charles Sprickman wrote: > On May 23, 2014, at 5:11 PM, Peter Wemm <peter@wemm.org> wrote: > >> On 5/23/14, 3:04 AM, Dr Josef Karthauser wrote: >>> On 23 May 2014, at 10:00, G. Paul Ziemba <pz-freebsd-stable@ziemba.us> = wrote: >>> >>>> Lucius.Rizzo@The.ie (Lucius Rizzo) writes: >>>> >>>>> Ultimately, outside configuration differences all firewalls are essen= tially >>>>> serve the same purpose but I wonder what is your favorite and why? If >>>>> you were to run FreeBSD in production, which of the three would you >>>>> choose? IPFilter, PF or IPFW? >>>> I switched to pf about seven months ago as I began to need to >>>> manage bandwidth for specific classes of traffic (for example, >>>> prevent outbound mailing list email from saturating the link >>>> and reserve some bandwidth for interactive use). >>>> >>>> The syntax is very close and the NAT configuration is simpler in pf. >>> Does the pfsync handle NAT tables. >>> Could I use it to build a resilient carrier grade NAT solution? >>> >> Yes, pfsync includes NAT. While we don't use NAT in the freebsd.org clu= ster, we do use it on certain ipv6+rfc1918 machines and it does handle fail= over / recovery transparently. We use it with carp. >> >> Be aware that things can get a little twitchy if your switches have an e= xtended link-up periods. Our Juniper EX switches and ethernet interfaces ha= ve a significant delay between 'ifconfig up' and link established. This re= quired some tweaks on the freebsd.org cluster but nothing unmanageable. We= probably should boot them into a hold-down state while things stabilize an= d but we've taken the quick way out rather than doing it the ideal way. > Off-topic, but it sounds like you need the Juniper equivalent of the Cisc= o =93spanning-tree portfast=94 command on your switch interfaces that conne= ct to end hosts. The pause you see is part of STP where the switch port si= ts in learning mode from 5 to 30 seconds before going to forwarding mode. = This is important for inter-switch links, but not at all needed when you kn= ow a port is only going to have a host plugged into it. > Indeed, I believe this is a legacy of when we had discrete switches = chained together. We've since switched to virtual chassis = configurations so there's only inter-switch forwarding via the = backplane. I've made a note to check this out when I'm physically present. But it is something to be aware of if you're using carp in this = configuration as new members will believe they are the master for a = short while and that does lead to drama as it converges. This not a = pf/carp problem though, more one that we haven't used the available = tools properly yet. -Peter _______________________________________________ freebsd-stable@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"