许多著名的网站,如:yahoo, netease 等著名的商业网站使用的就是freebsd,稳定性和性能早已通过很多专家的评测,远远强于Linux。
在著名的文章“Linux vs BSD: A Tale of Two System”中,是这样评价Freebsd的: FreeBSD focuses on the Intel Architecture PC and server platforms, and on providing the best performance and stability possible. The DEC/Compaq Alpha is also supported.
但是Freebsd也有不如Linux的弱点。主要表现在磁盘IO的性能上。这主要是因为Freebsd使用的文件系统—UFS的性能不如linux上使用的ext2/ext3。但是在加上softupdate之后会有很大的改进。而且出国代理上配置的使用raid5模式,磁盘使用高转速scsi硬盘,在上述硬件配置的情况下,读取squid cache的数k大小的小文件使用ext2和ufs+softupdate的效率的差别在万分之一以下。对于负载数千用户的代理服务器来说,可以忽略这样的效率差别。
基于以上原因,最终选用Freebsd作为代理服务器的操作系统。
在freebsd的可以调整的内核参数中有下面2项:net.inet.tcp.blackhole和net.inet.udp.blackhole。相应的描述如下:The blackhole sysctl(8) MIB is used to control system behaviour when connection requests are received on TCP or UDP ports where there is no socket listening. Normal behaviour, when a TCP SYN segment is received on a port where there is no socket accepting connections, is for the system to return a RST segment, and drop the connection. The connecting system will see this as a "Connection reset by peer". By setting the TCP blackhole MIB to a numeric value of one, the incoming SYN segment is merely dropped, and no RST is sent, making the system appear as a blackhole. By setting the MIB value to two, any segment arriving on a closed port is dropped without returning a RST. This provides some degree of protection against stealth port scans.In the UDP instance, enabling blackhole behaviour turns off the sending of an ICMP port unreachable message in response to a UDP datagram which arrives on a port where there is no socket listening. It must be noted that this behaviour will prevent remote systems from running traceroute(8) to a system. The blackhole behaviour is useful to slow down anyone who is port scanning a system, attempting to detect vulnerable services on a system. It could potentially also slow down someone who is attempting a denial of service attack.