> 5.3 and 5.4 and pfSense are actually slower than m0n0wall and 5.3 by
> about 900 Kbps on a 4501 (11.4 vs. 10.5 Mbps), and similar percentages
> on WRAP and 4801.  5.4 brought no improvement over 5.3.  PF does
> handle more sessions a lot better than ipf though, it seems, though
> it's extremely unsteady.

I wonder how "Real World" these throughput results portray. There is
MUCH more to firewall performance than just throughput test. Latency
is a big part as is the performance decrease of increasing rules.

The difference of 900Kbps might not even be noticeable since 99% of
Internet pipes coming into homes and businesses are lucky to be a
third of the max Mbps you mentioned. But latency could still be a
factor as is rule handling/performance.

I know it is old but I am sure you saw the testing done between PF,
IPF and IPTables? Eliminating IPTables because it is not Stateful, PF
seemed to better IPF in all the test. Not by knockout numbers but
better. http://www.benzedrine.cx/pf-paper.html


> ... Remember m0n0wall is focused towards embedded hardware.

One thing I like about m0n0. PfSense seems to want to do everything on
one box. I like the KISS concept when it applies to firewalls. Too
many services running lead to higher risk. Plus I like how m0n0 can be
run right from CD allowing me to disconnect HD saving more power. Any
speed disadvantages of running 100% from memory if HD is available?


> If the 5.x performance issues can't be resolved, DFly might be the way
> to go.  Not to mention I'm pretty connected in that community (I
> sysadmin for the installer team, so know several committers)

How come m0n0 still hasn't at least tried to move onto IPFilter 4x
yet? It is at version 4.1.8 already and surely whatever was holding

Manuel back is fixed by now?


-- 
Best regards,
 Scott                            mailto:tcslv at cox dot net