From owner-freebsd-security  Tue Sep 22 06:52:11 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id GAA05373
          for freebsd-security-outgoing; Tue, 22 Sep 1998 06:52:11 -0700 (PDT)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.224.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id GAA05368
          for <freebsd-security@FreeBSD.ORG>; Tue, 22 Sep 1998 06:52:07 -0700 (PDT)
          (envelope-from avalon@coombs.anu.edu.au)
Message-Id: <199809221352.GAA05368@hub.freebsd.org>
Received: by cheops.anu.edu.au
	(1.37.109.16/16.2) id AA023362252; Tue, 22 Sep 1998 23:50:53 +1000
From: Darren Reed <avalon@coombs.anu.edu.au>
Subject: Re: performance comparision of ipfilter and ipfw
To: liam@tiora.net (Liam Slusser)
Date: Tue, 22 Sep 1998 23:50:52 +1000 (EST)
Cc: tomaz.borstnar@over.net, freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.BSF.3.96.980922003608.7110B-100000@orbital.tiora.net> from "Liam Slusser" at Sep 22, 98 00:37:04 am
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

> On Tue, 22 Sep 1998, Tomaz Borstnar wrote:
> 
> > Hello!
> > 
> > 	Anyone did testing on performance of IPFW and IPFilter? From feature list
> > it looks like IPfilter has better interface and more features, but what
> > about perfomance? Also what kind of machine would you suggest for firewall?
> > As fast as possible CPU, 256MB RAM and plenty of disk?
> > 
> > Tomaz
> > 
> > ----
> > Tomaz Borstnar <tomaz.borstnar@over.net>
> > "Love is the answer to the final question you ask" - Unknown

I missed the original email (presumably posted elsewhere) but I'll respond
re. IP Filter.

In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed).
With 400 rules, 400 packets took around 11 minutes to be processed 1000
times which comes out at around 4us for 1 packet to be processed by 1 rule.
That is *JUST* for packet filtering, no state stuff, no NAT, no logging.

Quite some time ago I designed IP Filter to provide extensive coverage for
TCP/IP filtering, probably more than most people will need but attempted
to do it in a way that has no doubt increased the `cost' of doing 1 simple
rule but has also brought down the `cost' of doing complex ones.

As others have mentioned, the choice of network card is important - choose
a PCI one which can do bus mastering (well, that's moot really as that
still depends on FreeBSD support :).  Somewhere between 32MB and 128MB
of RAM is good - 256MB is just a waste.

Darren

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message