Firewall throughput benchmark test?

I am setting up my Linux ipfilter firewall at work but my boss wants me to buy this firewall because he thinks the throughput is much better.

Anyone know of the standardsized way of measureing throughput via firewalls or ids/ips systems?

I want to show him my linux setup is FASTER!! :)

I can see in their brohure they have a claimed throughput of:
Maximum number of connections 16,000
Connection rate 8,000/second
Aggregate Throughput 140 Mbps.

It seems most use the term of Mbps ?
Is there a way they do this standardsized so he can see i am not cheating him?
Who is Participating?

Improve company productivity with a Business Account.Sign Up

chris_calabreseConnect With a Mentor Commented:
You really have to be careful here. Find out what he actually cares about. Perhaps performance doesn't matter above a minimum threshold. Other considerations are security, ease/cost of management, ease/cost of use (related to things like whether it supports the protocols/features you need, etc.).

Meanwhile, some places to look for tools are
Maximum number of Connections is the size of the state table for keeping track of TCP sessions. 16,000 seems pretty low.

The Connection Rate is how many tcp three-way handshakes the thing can stuff into the TCP connection state table per second.

The Aggregate Troughput is probably how many maximally-sized UDP packets you stuff through it. Real-world throughput will probably be something like half of this.

The first question from a performance standpoint isn't whether one setup is faster than the other, but how much speed you need. If you're on the other side of a DS-3, neither this solution nor your linux box are likely to be sufficient. If you're on the other side of a T1, you can get away with linux on a 486/33, if you can still find one.

As for measuring these things on your linux box, that shouldn't be that difficult, and there are tools around that do this type of thing that you can Google for.

Of course, you also have to ask why your boss wants a commercial solution. There may be very good reasons, or his reasons may be bogus and you can easily dissuade him. And if there are very good reasons, that doesn't mean that the product he's looking at right now is even remotely close to the best choice.
benjshAuthor Commented:
i know the firewall box we got an offer off is a 256 meg ram 800 mhz system with 100 mbit lan.

My system is a celeron 1700 with 512 meg ram :) so i know i should be able to do better.

Do you know of some "trusted" tools to do this analyze so he can see it is not me tricking him?
benjshAuthor Commented:
Can you test the 3 categories with this program?
I already tried Netperf before with no results :(
The max connections is not something people usually test, since it's obvious from the way the system is designed. For iptables, it will depend on how much ram your system has, but will be way more than 16000 on your hardware.

Netperf should be able to do the other two, I would think, though I'v never used it myself.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.