Date: Tue, 22 Sep 1998 16:27:07 -0400 (EDT) From: spork <spork@super-g.com> To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw Message-ID: <Pine.BSF.4.00.9809221623200.17145-100000@super-g.inch.com> In-Reply-To: <199809221352.GAA05368@hub.freebsd.org>
next in thread | previous in thread | raw e-mail | index | archive | help
Darren, I must admit I've been brainwashed by Checkpoint and their "stateful inspection" rhetoric. Could you briefly explain some of the differences between ipfilter's state mechanism and the checkpoint version? Am I correct in assuming that they are basically the same at many levels? I'd appreciate hearing any other opinions you might have on FW1 as well. We have a few set up for clients, and other than the name recogntion, I don't see anything too incredible for the money... Thanks, Charles -- Charles Sprickman spork@super-g.com On Tue, 22 Sep 1998, Darren Reed wrote: > > On Tue, 22 Sep 1998, Tomaz Borstnar wrote: > > > > > Hello! > > > > > > Anyone did testing on performance of IPFW and IPFilter? From feature list > > > it looks like IPfilter has better interface and more features, but what > > > about perfomance? Also what kind of machine would you suggest for firewall? > > > As fast as possible CPU, 256MB RAM and plenty of disk? > > > > > > Tomaz > > > > > > ---- > > > Tomaz Borstnar <tomaz.borstnar@over.net> > > > "Love is the answer to the final question you ask" - Unknown > > I missed the original email (presumably posted elsewhere) but I'll respond > re. IP Filter. > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > times which comes out at around 4us for 1 packet to be processed by 1 rule. > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. > > Quite some time ago I designed IP Filter to provide extensive coverage for > TCP/IP filtering, probably more than most people will need but attempted > to do it in a way that has no doubt increased the `cost' of doing 1 simple > rule but has also brought down the `cost' of doing complex ones. > > As others have mentioned, the choice of network card is important - choose > a PCI one which can do bus mastering (well, that's moot really as that > still depends on FreeBSD support :). Somewhere between 32MB and 128MB > of RAM is good - 256MB is just a waste. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Pine.BSF.4.00.9809221623200.17145-100000>