[Webinar] Streamline your web hosting managementRegister Today


Firewall throughput benchmark test?

Posted on 2004-08-12
Medium Priority
Last Modified: 2008-01-16
I am setting up my Linux ipfilter firewall at work but my boss wants me to buy this firewall because he thinks the throughput is much better.

Anyone know of the standardsized way of measureing throughput via firewalls or ids/ips systems?

I want to show him my linux setup is FASTER!! :)

I can see in their brohure they have a claimed throughput of:
Maximum number of connections 16,000
Connection rate 8,000/second
Aggregate Throughput 140 Mbps.

It seems most use the term of Mbps ?
Is there a way they do this standardsized so he can see i am not cheating him?
Question by:benjsh
  • 3
  • 2
LVL 14

Expert Comment

ID: 11784437
Maximum number of Connections is the size of the state table for keeping track of TCP sessions. 16,000 seems pretty low.

The Connection Rate is how many tcp three-way handshakes the thing can stuff into the TCP connection state table per second.

The Aggregate Troughput is probably how many maximally-sized UDP packets you stuff through it. Real-world throughput will probably be something like half of this.

The first question from a performance standpoint isn't whether one setup is faster than the other, but how much speed you need. If you're on the other side of a DS-3, neither this solution nor your linux box are likely to be sufficient. If you're on the other side of a T1, you can get away with linux on a 486/33, if you can still find one.

As for measuring these things on your linux box, that shouldn't be that difficult, and there are tools around that do this type of thing that you can Google for.

Of course, you also have to ask why your boss wants a commercial solution. There may be very good reasons, or his reasons may be bogus and you can easily dissuade him. And if there are very good reasons, that doesn't mean that the product he's looking at right now is even remotely close to the best choice.

Author Comment

ID: 11785768
i know the firewall box we got an offer off is a 256 meg ram 800 mhz system with 100 mbit lan.

My system is a celeron 1700 with 512 meg ram :) so i know i should be able to do better.

Do you know of some "trusted" tools to do this analyze so he can see it is not me tricking him?
LVL 14

Accepted Solution

chris_calabrese earned 1500 total points
ID: 11790176
You really have to be careful here. Find out what he actually cares about. Perhaps performance doesn't matter above a minimum threshold. Other considerations are security, ease/cost of management, ease/cost of use (related to things like whether it supports the protocols/features you need, etc.).

Meanwhile, some places to look for tools are

Author Comment

ID: 11790700
Can you test the 3 categories with this program?
I already tried Netperf before with no results :(
LVL 14

Expert Comment

ID: 11793324
The max connections is not something people usually test, since it's obvious from the way the system is designed. For iptables, it will depend on how much ram your system has, but will be way more than 16000 on your hardware.

Netperf should be able to do the other two, I would think, though I'v never used it myself.

Featured Post

Get your problem seen by more experts

Be seen. Boost your question’s priority for more expert views and faster solutions

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
Free Data Recovery software is an advanced solution from Kernel Tools to recover data and files such as documents, emails, database, media and pictures, etc. It supports recovery from physical & logical drive after a hard disk crash, accidental/inte…
Suggested Courses
Course of the Month8 days, 15 hours left to enroll

590 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question