Firewall throughput benchmark test?

Posted on 2004-08-12
Last Modified: 2008-01-16
I am setting up my Linux ipfilter firewall at work but my boss wants me to buy this firewall because he thinks the throughput is much better.

Anyone know of the standardsized way of measureing throughput via firewalls or ids/ips systems?

I want to show him my linux setup is FASTER!! :)

I can see in their brohure they have a claimed throughput of:
Maximum number of connections 16,000
Connection rate 8,000/second
Aggregate Throughput 140 Mbps.

It seems most use the term of Mbps ?
Is there a way they do this standardsized so he can see i am not cheating him?
Question by:benjsh
  • 3
  • 2
LVL 14

Expert Comment

Comment Utility
Maximum number of Connections is the size of the state table for keeping track of TCP sessions. 16,000 seems pretty low.

The Connection Rate is how many tcp three-way handshakes the thing can stuff into the TCP connection state table per second.

The Aggregate Troughput is probably how many maximally-sized UDP packets you stuff through it. Real-world throughput will probably be something like half of this.

The first question from a performance standpoint isn't whether one setup is faster than the other, but how much speed you need. If you're on the other side of a DS-3, neither this solution nor your linux box are likely to be sufficient. If you're on the other side of a T1, you can get away with linux on a 486/33, if you can still find one.

As for measuring these things on your linux box, that shouldn't be that difficult, and there are tools around that do this type of thing that you can Google for.

Of course, you also have to ask why your boss wants a commercial solution. There may be very good reasons, or his reasons may be bogus and you can easily dissuade him. And if there are very good reasons, that doesn't mean that the product he's looking at right now is even remotely close to the best choice.

Author Comment

Comment Utility
i know the firewall box we got an offer off is a 256 meg ram 800 mhz system with 100 mbit lan.

My system is a celeron 1700 with 512 meg ram :) so i know i should be able to do better.

Do you know of some "trusted" tools to do this analyze so he can see it is not me tricking him?
LVL 14

Accepted Solution

chris_calabrese earned 500 total points
Comment Utility
You really have to be careful here. Find out what he actually cares about. Perhaps performance doesn't matter above a minimum threshold. Other considerations are security, ease/cost of management, ease/cost of use (related to things like whether it supports the protocols/features you need, etc.).

Meanwhile, some places to look for tools are

Author Comment

Comment Utility
Can you test the 3 categories with this program?
I already tried Netperf before with no results :(
LVL 14

Expert Comment

Comment Utility
The max connections is not something people usually test, since it's obvious from the way the system is designed. For iptables, it will depend on how much ram your system has, but will be way more than 16000 on your hardware.

Netperf should be able to do the other two, I would think, though I'v never used it myself.

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
This video shows how to remove a single email address from the Outlook 2010 Auto Suggestion memory. NOTE: For Outlook 2016 and 2013 perform the exact same steps. Open a new email: Click the New email button in Outlook. Start typing the address: …
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now