On Wed, 22 Sep 2010 15:47:02 -0400
Brad Tilley <brad@16systems.com> wrote:

quoted text
> Rikky Taylor wrote:
> > I was after some general advice. I need to setup a routing firewall with 3
> > interfaces, moderate traffic and a fair amount of NAT'ing in the rules.
> > 
> > 
> > 
> > Given identical modern server hardware would I expect a performance difference
> > between an OpenBSD/PF setup and a Linux/IPTables one?
> > 
> > 
> > 
> > Rikky
> 
> 
> Either will work fine so long as you purchase good NICs and avoid
> cutting-edge (untested) hardware. The only things Linux does noticeably
> better is:
> 	
> 	* Dealing with SMP
> 	* Dealing with lot's and lot's of RAM
> 	* Dealing with huge file-systems
> 
> None of those things are needed for simple firewalls.
> 
> Brad
> 
And PF will filter more packets on slower, quieter hardware, whilst
using less electricity. SMP is not needed for a pure firewall because
your nic should be the bottleneck b4 the cpu.

It also wipes your ass by optimising the ruleset which will be smaller
 and so fater to start with anyway and fixing up windows non random
 network port usage, preventing hijacks. It's also much quicker to use
 and more intuitive. Do you trust something that mangles your packets?,
 only joking.

iptables has many options and you may find something in there you like
but a lot of it borders on useless and so you'll spend less time
getting what you want done. PF does a lot of cool stuff that you may
not even realise is happening, like hiding the number of machines due
to timestamp randomisation. You can always use both but I'd always put
in PF first. Plus the host running PF is far more secure. I replaced
ipcop with OpenBSD. It's a no brainer, as google will tell you.

F.Y.I.
I believe PF still? performs better on i386 than it does on amd64.