All:
Is there a "standardized" way of measuring throughput of a firewall?
I have a simple Linux box with two NICs serving as my firewall, and it works fine, but I can't help but wonder if it is a bottleneck between me and the internet (there are other machines that go through the firewall). I was wondering if there was a "conventional" way of measuring either the "throughput" of a firewall, or the latency it might be introducing.
Thanks in advance,
-intrepid_dw
two kinds of things to measure; link utilization and cpu usage. TCP utilization typically maxs out at 70-73% before there's a ton of transmission retries, all of which is both delay and lost efforts. A 10mb NIC will run at 7.3mb and a 100mb @ 73mb. You can monitor those directly and you need a secondary physical network when you get to this level consistently.
The latency introduced by the passthru nic-1 --- nice-2 will be low as long as background processing does not climb too hi. Set your timeslice to a smaller number as your background CPU increases. Every I/O interrupt will allow th kernel to move link data during the process swap.
I agree with the above and would add number of connections too.
You could use MRTG to measure the bandwidth and CPU. Perhaps a stress test with something like siege?
We don't generally see this issue unless you have a great deal of bandwidth, or are running the firewall between two LANs. Most of the time the firewall is much faster than a few mb/s.
Scott R. Haven Sr. Systems Engineer Managed Security Services Paisley Systems, Inc.
Yes, its called an 'avalanche', made by spirent.
If you want to test the throughput for a headline figure, something like iperf should do the trick.
greg
You may want to review the effects of transport protocol variant effects. For instance, by utilizing Fast-TCP or other high-bandwidth protocol stack specifications you cna increase your efficiency with great success.
This goes for both TCP and UDP protocols, however the TCP variants will have the greated effect due to processing requirements of the connection-oriented nature.
hum; in a pass-thru routed connection inbound -->nic-1 -- system --- nic-2 --->outbound the routing tables are all that are necessary and the buffers from nic-1 are moved directly to the nic-2 interface without processing. this all occurs in the kernel.
Isn't Fast-TCP an application layer issue?
The tcp segments and udp datagrams are transport layer types.
For instance, for ingress traffic that is destined for internal nodes can be filtered based on connection state or control bit logic. The process efficiency is relevant to the kernel processes of the netfilter engine. Packet matching functionality cannot be performed without the tearing-down and reassembly of packets through the filter process.
Surely, you can visualize how the network message efficiency can be transport variant implementation dependent.
Thank you ALL for your great information and suggestions!!!
-intrepid_dw
Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.