# PF with 10Gb/s



## nORKy (Apr 5, 2013)

Hi,

Can PF filter (with very simple rules) 10Gb/s? I need to detect DOS/DDOS attacks. I need to analyse this data to find what type of attack is this and apply a rule to filter bad packets. Can PF use all CPU cores? Do you known w*h*ich firewall (PF, IPFW) is the faster to filter 10Gb/s? Do I need a special NIC? (yes a 10G NIC, but something else?)

Thank you.


----------



## Toast (Apr 6, 2013)

I don't know much about tuning for 10Gb/s but these seem helpful:

https://calomel.org/freebsd_network_tuning.html
https://wiki.freebsd.org/NetworkPerformanceTuning


----------



## lib13 (Apr 6, 2013)

NetBSD has come up with npf which is said to be multicore.  Maybe an option to you, never tried it though.


----------



## nORKy (Apr 6, 2013)

It's hard to choose and find complete information about *BSD, Linux, PF, IPFW, hardware support/compatibility for 10G, SMP, IRQ CPU affinity ..


----------



## plamaiziere (Apr 6, 2013)

You can ask the freebsd-net@ mailing list too. There are many recent things in FreeBSD which look very nice (SMP PF, Netmap and so on).

You can check this document: http://bsdrp.net/documentation/technical_docs/performance

As said, on a router/firewall any TCP/UDP optimizations are useless. The important things are the packets rate per second and latency.

Regards.


----------

