access restriction - pf vs irule?

Question

we'll be making the transition from a pair of 6800s to a new viprion chassis in a few weeks.  the current pair pushes about 900mb/s externally with 5k new connections per second.

about a year ago with v9.x we were using the built-in packet filter for simple access control but as traffic increased so did our cpu load.. when it hit the roof we disabled the packet filter and switched to simple irules that use data groups to either reject or allow every new connection on a per-vip basis.

we're now on v10 and soon moving to the viprions.  Before i start any testing of my own i'm wondering what everyone's recent experiences are with packet filter performance?  is it worth it to use pf over irules?

thanks!

hamish · Answer

That's an interesting question... I haven't had to do packet filters for a long time on F5's (Since 9.1 IIRC).  
&nbsp;  
&nbsp; However I'm surprised that you found pf's slower and using more cpu consumption than iRules... However,w e probably need someone like Spark or another developer to give us a clear answer on who gets the packets first and what part of the switch/tmm/hostkernel/service kernel gets packets first and where the flowpath goes if you use pf's vs iRules. (I really would have expected iRules to consume more CPU though, especially if you're doing DG lookups). 
&nbsp;  
&nbsp; Although perhaps it's something strange like the pf has to run as the management host, so packets need to be transported over to it for filtering (Just like tcpdump), vs the optimised paths that would be in place for TMM and iRule processing of packets... 
&nbsp;  
&nbsp; H

nom_55811 · Answer

We're having some performance issue with packet filters too.  Our current understanding is that packet filters are constrained to 20% of the available CPU power in the box, so you're somewhat likely to encounter issues when using it with any kind of substantial throughput. 
&nbsp;  
&nbsp; We are currently looking at using pass-through firewalls in between the F5's and our L3 switches so we can provide security completely outside of the F5 itself.

hamish · Answer

Mmm.... I'd always sandwich external facing BigIP's with firewalls anyway. Because (As Support have told me in the past), they're not intended to be a security device... It's too easy to allow unintended access through an F5. Separating your security to a dedicated firewall and ensuring that the BigIP is there for content delivery is both more secure, and going to provide better performance as each device is optimised for the function they're performing. 
&nbsp;  
&nbsp; H

nik · Answer

just in case anyone was wondering what i found. 
&nbsp;  
&nbsp; all incoming traffic is filtered with pf before it's handed off to tmm.  irules are run in tmm and will only be triggered when the appropriate vip is accessed.  this makes pf a vastly inferior solution in terms of both latency and hardware resource usage.

Forum Discussion

access restriction - pf vs irule?

4 Replies

Recent Discussions

CONNECTION IS LOST DUE TO SELF IP IS DELIVERED

ASM instance creation

Can iRule mask the payload content on event logs of security

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

F5Access | MacOS Sonoma

Related Content

Restricting Access to Virtual from client IP address in X-Forwarder-For HTTP header

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

Restricting access to a virtual server by Public IP address should access through only domain name.

Federated AWS Console Access Made Easy: F5 BIG-IP Access Policy Manager Access Guided Configurations

Access policy, LTM policy and iRules