Pf firewall rules
The same tests were made on both machines with pf firewall turn on.
You can see the content of /etc/pf.conf file in the next section:
## Firewall rules for IPSec ##
## ------------------------ ##
## define macro section ##
ext_if = "em0"
int_if = "em1"
#lan_net = "10.2.1.0/24"
## don't filter on loopback ##
set skip on lo0
## scrub incoming packets ##
scrub in all
## default policy is to block all ##
block all
## activate spoofing protection for all interfaces ##
block in quick from urpf-failed
### PF RULES for in -> ESP, AH, udp 500, icmp and ssh
pass in quick proto esp from any to any
pass in quick proto ah from any to any
pass in quick proto udp from any port = 500 to any port = 500
pass in quick proto icmp from any to any modulate state
pass in log quick proto tcp from any to any port = 22 keep state
##these are needed only if gif interface is used
#pass in quick proto ipencap from any to any
#pass in quick on gif0 from any to any
pass out quick proto esp from any to any
pass out quick proto ah from any to any
pass out quick proto udp from any port = 500 to any port = 500
pass out quick proto icmp from any to any modulate state
pass out log quick proto tcp from any to any port = 22 keep state
To enable firewall uncomment following lines from /etc/pf.conf:
#pf_enable=”YES”
#pf_rules=”/etc/pf.conf”
#pflog_enable=”YES”
#pflog_logfile=”/var/log/pflog”
Start pf and pflog by running following commands:
service pf start service pflog start
With firewall turn on the same performances were achieved.
Recommendation and further investigation
The performances can be improved if AES-NI processor is used.
References
http://www.intel.com/content/dam/doc/how-to-guide/aes-ni-for-linux-web-server-guide.pdf - see page 4 Example of OpenSSL Speed Test without/with Intel® AES-NI
http://unixdoc.ua-i.net/articles/freebsd/tuning/perfomance.html
https://www.freebsd.org/doc/handbook/kernelconfig-config.html
https://www.openbsd.org/faq/pf/
This guide is completed now. Enjoy.
