| View previous topic :: View next topic |
| Author |
Message |
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
 Posted: Wed Jun 04, 2003 2:26 pm Post subject: Firewall performance loop |
 |
|
Hi,
Sorry if this question has an obvious answer, but I wanted to check some things out with some people who are more knowledgable than myself. I'm trying to measure the time that it takes certain packets to be processed through a firewall I'm working on and forwarded on. The scheme I've set up to measure this is to have a single machine send a packet through the firewall and then the have the same machine receive the packet on the other side (through a second interface.) The reason I want to set it up like this is to eliminate any issues with clock synchronization when I do the timing.
However, if I route a packet to the same machine, the loopback interface will take over and the packet will never leave the machine. To accomplish the setup I want, should I just disable the loopback interface and then change the routing table so all packets go out to the firewall?
Also, does anyone have any recommendations about software I could use to do the actual timing?
Thanks in advance. |
|
| Back to top |
|
 |
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
| Posted: Wed Jun 04, 2003 2:42 pm Post subject: |
|
|
I'd add:
I've found several relevant RFCs and papers on this, but I'd be interested to know if anyone has any concrete software recommendations for something like this. |
|
| Back to top |
|
|
DefconAlpha
Apprentice
Joined: 25 Feb 2003
Posts: 151
Location: Alabama
|
| Posted: Wed Jun 04, 2003 2:57 pm Post subject: write code |
|
|
write a simple code for the host computer to send it to the firewall, have the firewall forward all packets back out the same interface that came into it, and then check the total time taken to accomplish this.
But then again, it's really trivial for most (read pentium class and better) to filter a packet. Most packets will top out at a whopping 64KB. Doesn't take too long to inspect the header, change a few numbers and spit it out again.
What kind of application are you going to be making with a time-critical firewall? or is it something more like many users using one firewall and you are trying to estimate load?
_________________
In the end, the love you get is equal to the love you make
--John Lennon & Paul McCartney (The End - Abbey Road, |
|
| Back to top |
|
|
Mnemia
Guru
Joined: 17 May 2002
Posts: 476
|
| Posted: Wed Jun 04, 2003 3:17 pm Post subject: |
|
|
| It's more like many users on a single firewall. I want to compare how much overall network throughput through the firewall is affected by various rulesets I'm looking at for iptables. The load I want to test this under will be very heavy (I'm planning to use some sort of traffic generation software on a powerful machine to test this out). I want to see how much delay is introduced into the total transit time by increasing the complexity of the rulesets on the firewall. |
|
| Back to top |
|
|
|
Networking & Security
