how to test and improve the performance of linux firewall?
Sun, 28 Apr 2002 16:00:26 +0200
2002-04-28 21:47:28+0800, zheng chuanbo <firstname.lastname@example.org> ->
> we use linux as firewall, and met some problem on the
> performance of the system,such as throughput.sometimes
> the firewall does not work well,maybe there are too
> many computers which cause large throughput and
> we wanted to test the performance of the firewall.we
> use netpipe to test it.but i don't think the results
> were accurate,because we had tested it with
> smartbits2000. we do not own such a device,someone
> else helped us to make such a test,and we can not
> often use the smartbits.
> so how to test the performnce of firewall more
> accurately?and is there some good way to improve the
> performance of linux?
> thanks for help.
We use iptables on our router here pushing 30Mbit and about 6k pps in each
direction normally. Tops even higher. We have over 2000 iptables rules. We
are using connectiontracking. We have no problem at all with this. You
should check your drivers and hardware. Very little hardware is suitable for
linux router. You must have the right netcard, chipset and moderboards.
Search for linux router pages that recommends good hardware and drivers for
linux. Your question is impossible to answer since performace depends on too
One good site for a whole distro is:
And the NAPI driver for tulip Dlink DFE-570 card or the Intel e1000:
NAPI is the new API for the drivers in linux. Much faster. Is included in
lastest kernel 2.5.* and will be included in 2.4.* soon.
Also check for kernel-messages. If you are using conntrack you might want to
increase that table size:
modprobe ip_conntrack hashsize=131072
echo 262144 > /proc/sys/net/ipv4/ip_conntrack_max
/Joakim Axelsson A.K.A Gozem@EFnet & OPN