[ previous ] [ next ] [ threads ]
 From:  Adam Gibson <agibson at ptm dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Porting webGUI to Linux
 Date:  Sat, 18 Jun 2005 18:41:03 -0400
Jonathan De Graeve wrote:

> The choice of BSD is obious. More powerfull then Linux (I know there 
> lots of funky iptables modules etc) but the fact is that BSD has a 
> MUCH better IP stack and routing code and is faster in forwarding 
> packets with less memory.

Have you seen benchmarks that show that Linux firewalling is slower than 
FreeBSD in that it would be noticeably slower than FreeBSD?  I would 
definately be interested in seeing them if so.  The last benchmark I saw 
was not with FreeBSD but with OpenBSD and Linux and Linux won most of 
those benchmarks with non-state tracking(tcp window tracking was not 
available at the time so they didn't test that on Linux).  That was with 
a very old 2.2.x linux kernel.  Linux has had major VM speedup changes 
since then.  TCP window tracking has been available since 2002 for 
iptables through the normal patch-o-matic so it would be interesting to 
see that benchmark done again comparing Linux tcp window stateful tracking.

Both OSs have been improving by quite a bit over the years.  I certianly 
have not had any speed or stability problems with Linux as a firewall on 
486, P200 and recently P400mhz equivalent systems for the past 8 years 
or with FreeBSD over that past year.  I have a feeling that their 
current performance levels and real world usage is much closer that what 
your "fact"s are telling you.

Those "funky iptables modules" are extremely useful on Linux too so dont 
discount them too quickly.

Regardless of all of this if I were developing it and had more 
experience with OpenBSD, I would choose that over Linux because of its 
failover of state tracked connections for use in creating redundant 
firewalls... not because one is slightly slower or faster than the 
other.  The stateful failover would be a huge deal to me.  I doubt 
Tommaso or any of the m0n0wall developers plan for that advanced of a 
feature though.  It would definitely be something none of the other open 
and free embedded firewalls have though.