Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17


Firewall throughput benchmark test?

Posted on 2004-08-12
Medium Priority
Last Modified: 2008-01-16
I am setting up my Linux ipfilter firewall at work but my boss wants me to buy this firewall because he thinks the throughput is much better.

Anyone know of the standardsized way of measureing throughput via firewalls or ids/ips systems?

I want to show him my linux setup is FASTER!! :)

I can see in their brohure they have a claimed throughput of:
Maximum number of connections 16,000
Connection rate 8,000/second
Aggregate Throughput 140 Mbps.

It seems most use the term of Mbps ?
Is there a way they do this standardsized so he can see i am not cheating him?
Question by:benjsh
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
LVL 14

Expert Comment

ID: 11784437
Maximum number of Connections is the size of the state table for keeping track of TCP sessions. 16,000 seems pretty low.

The Connection Rate is how many tcp three-way handshakes the thing can stuff into the TCP connection state table per second.

The Aggregate Troughput is probably how many maximally-sized UDP packets you stuff through it. Real-world throughput will probably be something like half of this.

The first question from a performance standpoint isn't whether one setup is faster than the other, but how much speed you need. If you're on the other side of a DS-3, neither this solution nor your linux box are likely to be sufficient. If you're on the other side of a T1, you can get away with linux on a 486/33, if you can still find one.

As for measuring these things on your linux box, that shouldn't be that difficult, and there are tools around that do this type of thing that you can Google for.

Of course, you also have to ask why your boss wants a commercial solution. There may be very good reasons, or his reasons may be bogus and you can easily dissuade him. And if there are very good reasons, that doesn't mean that the product he's looking at right now is even remotely close to the best choice.

Author Comment

ID: 11785768
i know the firewall box we got an offer off is a 256 meg ram 800 mhz system with 100 mbit lan.

My system is a celeron 1700 with 512 meg ram :) so i know i should be able to do better.

Do you know of some "trusted" tools to do this analyze so he can see it is not me tricking him?
LVL 14

Accepted Solution

chris_calabrese earned 1500 total points
ID: 11790176
You really have to be careful here. Find out what he actually cares about. Perhaps performance doesn't matter above a minimum threshold. Other considerations are security, ease/cost of management, ease/cost of use (related to things like whether it supports the protocols/features you need, etc.).

Meanwhile, some places to look for tools are

Author Comment

ID: 11790700
Can you test the 3 categories with this program?
I already tried Netperf before with no results :(
LVL 14

Expert Comment

ID: 11793324
The max connections is not something people usually test, since it's obvious from the way the system is designed. For iptables, it will depend on how much ram your system has, but will be way more than 16000 on your hardware.

Netperf should be able to do the other two, I would think, though I'v never used it myself.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have seen several blogs and forum entries elsewhere state that because NTFS volumes do not support linux ownership or permissions, they cannot be used for anonymous ftp upload through the vsftpd program.   IT can be done and here's how to get i…
Note: for this to work properly you need to use a Cross-Over network cable. 1. Connect both servers S1 and S2 on the second network slots respectively. Note that you can use the 1st slots but usually these would be occupied by the Service Provide…
If you're a developer or IT admin, you’re probably tasked with managing multiple websites, servers, applications, and levels of security on a daily basis. While this can be extremely time consuming, it can also be frustrating when systems aren't wor…
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …

721 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question