Re: firewall performance throughput between Linux and OpenBSD

From: sam (samwun_at_hgcbroadband.com)
Date: 07/19/04 

Date: Mon, 19 Jul 2004 07:53:12 +0800

 From the performance test page I have read thru a while ago, PF is
using 2-way full stateful inspection while iptables is only inspect the
in-coming packet, thus iptables is faster than PF. However PF has better
performance than IPF.

sam

Sean wrote:
> Greg Hennessy <me@privacy.net> wrote in message news:<tnekf0pf9s4m4hfoer7mpee4n0cknumt2j@4ax.com>...
>
>>On 17 Jul 2004 16:30:59 -0700, seconway@mts.net (Sean) wrote:
>>
>>
>>>G'Day,
>>>Can anyone suggest a cause for the performance difference between a
>>>OBSD 3.5 pf firewall and a RH7.3 ipfilter firewall.
>>
>>Yes, a problem between the chair and keyboard.
>>
>>
>>>The throughput
>>>performance on OBSD is a 10th of the throughput on the RH firewall.
>>>
>>>
>>
>>1/10th of the 'throughput' as measured by *what* exactly ?
>>
>>
>>
>>greg
>
>
> Thanks to the people that suggested to move to a "better" O/S. I am
> not interested. If I cannot solve the problem on OBSD I will stay with
> Linux.
>
> Enclosed are the hardware platforms that have been used to conduct the
> tests:
> Motherboard: P/I-P55TVP4
> CPU:233MMX
> RAM:64M
> NIC: Dlink 530TX
>
> Motherboard: P6B
> CPU:433MMX
> RAM:393M
> NIC: Dlink 530TX
>
> Internet: DSL using PPPOE
>
> The firewall is used to connect a private network to the internet. The
> private network is running a variety of windows boxes. All boxes show
> the same slow performance symptom.
>
> Enclosed is the the pf.conf and ppp.conf files. Some information has
> been altered to eliminate the obvious.
>
> PF.CONF
> # Macros
> # ext_if -- the interface to the outside world
> ext_if="tun0"
>
> # prv_if -- the interface to the private hosts
> prv_if="vr3"
>
> # prv_hosts -- the list of addresses of hosts on the
> # screened LAN
> prv_hosts = "{192.168.2.1, 192.168.2.107, 192.168.2.10}"
>
> # Options
> set require-order yes
> set block-policy drop
> set optimization normal
> set loginterface none
>
> # Normalize packets
> scrub in all
> scrub out all
>
> # Translate packets
> nat on $ext_if inet proto {tcp, udp, esp} from $prv_hosts to any ->
> ($ext_if) static-port
>
>
> PPP.CONF
> default:
> set log all Phase Chat LCP IPCP CCP tun command
>
> pppoe:
> set device "!/usr/sbin/pppoe -i vr3"
> set mtu max 1492
> set speed sync
> disable acfcomp protocomp
> deny acfcomp
> set login
> set authname ###################
> set authkey ####################
> add! default HISADDR
> enable dns
> enable mssfixup
>
> I have used two tests to gauge performance.
> www.pcpitstop.com/internet/BandwidthResults.asp has a crude
> measurement tool. I have also tried doing ftp downloads. The same
> result exists but it is not a true measure since the OBSD is using
> ftp-proxy and the linux box does not.
>
> Here are some performance stats using the above web link
> Linux (233MHZ)
> 1071kbit/sec
> 1082
> 1111
> OBSD3.4(233Mhz)
> 72
> 74
> 75
> OBSD3.5(433Mhz)
> 144
> 143
> 142
>
> I also tried an informal test by replacing the firewall without
> notifying the clients. I was called within an hour of the new install
> with complaints about slow performance. I switched the old unit back
> in place and told the users there was an ISP problem.
>
> I am a newbie at OBSD but have some experience with other unix's. My
> research using the books recommended on the OpenBSD site has not
> provided any insight. This new's group did have a reference back in
> 2003 regarding performance issues. It was centered around the rules in
> pf.conf. Running with a full pf rules file or the wideopen version
> listed nets the same performance results. The linux box is running a
> full rules file using iptables. I didn't try the performance test on
> that box without rules.
>
> I am stepping back to let un-biased eyes examine the setup to see if
> there is something I am missing. I am open to suggestions. The
> firewall works. The through put performance is the issue.

Relevant Pages

  • Re: firewall performance throughput between Linux and OpenBSD
    ... The firewall is used to connect a private network to the internet. ... ftp-proxy and the linux box does not. ... Running with a full pf rules file or the wideopen version ...
    (comp.unix.bsd.openbsd.misc)
  • Re: [Full-Disclosure] PIX vs CheckPoint
    ... Like a few other comments already, I would also recommend using iptables -- ... it's a stateful inspection firewall that's included with every Linux ... VNU BUSINESS PUBLICATIONS LIMITED 32-34 Broadwick Street, London, ...
    (Full-Disclosure)
  • Re: Configuring Linux as a Firewall
    ... Using iptables commands ... Simplifying things with firewall GUIs ... Linux enthusiasts have known for a long time: ... Making Installation Choices ...
    (rec.photo.digital)
  • Re: Demand of PF CLI
    ... >> using the PF APIs directly, or providing such access in perl, python, ... >> style approach was taken to embrace other firewall solutions. ... > you mean this module could work for Linux iptables too. ... There is Linux's iptables, ipf on NetBSD and Solaris, ...
    (comp.unix.bsd.openbsd.misc)
  • Re: firewall survey
    ... The fw's used on servers at work are all IPtables (more correctly NetFilter & ... IPtables) for Linux, and for Solaris we use ...can't remember the name but it ... Is your firewall considered to be a hardware appliance or a software ... of the front-ends that restrict the granularity or creation of custom rules, ...
    (RedHat)