Re: Linux netfilter/iptables firewall : impacts on performances ?

From: Juha Laiho (Juha.Laiho_at_iki.fi)
Date: 04/29/04 

Date: Thu, 29 Apr 2004 17:17:03 GMT

rdgentry1@cablelynx.com (P Gentry) said:
>Philippe <philou-666@caramail.com> wrote in message
>news:<c6qera$2n5$1@s1.read.news.oleane.net>...
>> I am looking for results of performance studies on the impact of the use
>> of the Linux netfilter/iptables firewall, typicaly a comparison of
>> bandwidth and delay time with and without the firewall for several types
>> of traffic (HTTP, FTP, UDP, etc.).
>
>Suspect you won't find any "types of traffic" studies that would be
>meaningful for _your_ setup -- fact is, that's one of the reasons you
>won't find many (any?) useful benchmarks re: iptables. There are just
>_too_many_ variables. Connection rate, MASQing, number of nics,
>traffic patterns, which additional modules are running and how, etc.

I recall having a discussion in the news with someone who initially
complained about huge slowdowns with iptables. What solved the problem
was to rearrange the rulesets -- there was rather huge number of rules,
and the most frequently used ones were close to the tail of the rulesets.

Luckily, iptables maintains packet counters to show which rules match
the majority of the traffic -- and it's also possible to branch the
rulesets to reduce the average/maximum ruleset lengths. 

-- 
Wolf  a.k.a.  Juha Laiho     Espoo, Finland
(GC 3.0) GIT d- s+: a C++ ULSH++++$ P++@ L+++ E- W+$@ N++ !K w !O !M V
         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)