Colin Dermott wrote:
Michael E. Conlen:
>> Colin,
Hi Michael.  Thanks for your very in-depth reply!

>> FreeBSD and OpenBSD has firewall software callled PF. PF has the
>> ability to redirect traffic going to a single IP address to a cluster
>> of IP addresses. In this scenario when you wish to remove a server
>> from the cluster you can remove it from the PF configuration and
>> there's no need to wait for DNS propagation or people's computers to
>> lookup the addresses after the DNS change. A simple server with a
>> single fast CPU and 1GB or possibly even 512 MB of memory should be
>> able to handle loads up to somewhere between 150 and 200 Mbit/sec of
>> traffic (my client now has a cluster of firewalls between two load
>> balancers).

I am a dev on the pfSense firewall project. It's based on FreeBSD with 
pf. We also have a load balancer to automatically detect up and down 
hosts. The load balancer makes sure the filter rules get reloaded.

We also support CARP so you can use 2 machines and achieve firewall 
failover whilst keeping state for active connections without dropping them.

>> One PF firewall. Fast machine, modest amounts of memory. With this
>> you can round robin to the servers and manage which servers get
>> traffic quickly.

I have a cluster of 2 PowerEdge 850 servers with 6Ge ports and 1GB ram 
and single sata disk. I use this as a internal firewall cluster. And I 
have no issue pushing gigabit.

I'm pretty sure you can test this easily.



