From owner-freebsd-security Tue Sep 22 13:27:49 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA21639 for freebsd-security-outgoing; Tue, 22 Sep 1998 13:27:49 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from super-g.inch.com (super-g.com [207.240.140.161]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA21630 for ; Tue, 22 Sep 1998 13:27:45 -0700 (PDT) (envelope-from spork@super-g.com) Received: from localhost (localhost [127.0.0.1]) by super-g.inch.com (8.8.8/8.8.5) with SMTP id QAA20126; Tue, 22 Sep 1998 16:27:07 -0400 (EDT) Date: Tue, 22 Sep 1998 16:27:07 -0400 (EDT) From: spork X-Sender: spork@super-g.inch.com To: Darren Reed cc: freebsd-security@FreeBSD.ORG Subject: Re: performance comparision of ipfilter and ipfw In-Reply-To: <199809221352.GAA05368@hub.freebsd.org> Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Darren, I must admit I've been brainwashed by Checkpoint and their "stateful inspection" rhetoric. Could you briefly explain some of the differences between ipfilter's state mechanism and the checkpoint version? Am I correct in assuming that they are basically the same at many levels? I'd appreciate hearing any other opinions you might have on FW1 as well. We have a few set up for clients, and other than the name recogntion, I don't see anything too incredible for the money... Thanks, Charles -- Charles Sprickman spork@super-g.com On Tue, 22 Sep 1998, Darren Reed wrote: > > On Tue, 22 Sep 1998, Tomaz Borstnar wrote: > > > > > Hello! > > > > > > Anyone did testing on performance of IPFW and IPFilter? From feature list > > > it looks like IPfilter has better interface and more features, but what > > > about perfomance? Also what kind of machine would you suggest for firewall? > > > As fast as possible CPU, 256MB RAM and plenty of disk? > > > > > > Tomaz > > > > > > ---- > > > Tomaz Borstnar > > > "Love is the answer to the final question you ask" - Unknown > > I missed the original email (presumably posted elsewhere) but I'll respond > re. IP Filter. > > In testing I did some time ago now, on a Sun Sparc2 (~486dx2-66 in speed). > With 400 rules, 400 packets took around 11 minutes to be processed 1000 > times which comes out at around 4us for 1 packet to be processed by 1 rule. > That is *JUST* for packet filtering, no state stuff, no NAT, no logging. > > Quite some time ago I designed IP Filter to provide extensive coverage for > TCP/IP filtering, probably more than most people will need but attempted > to do it in a way that has no doubt increased the `cost' of doing 1 simple > rule but has also brought down the `cost' of doing complex ones. > > As others have mentioned, the choice of network card is important - choose > a PCI one which can do bus mastering (well, that's moot really as that > still depends on FreeBSD support :). Somewhere between 32MB and 128MB > of RAM is good - 256MB is just a waste. > > Darren > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message