Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Firewall rules order and performance

From: david () lang hm
Date: Fri, 17 Jul 2009 18:38:10 -0700 (PDT)
On Fri, 17 Jul 2009, Pierre Blanchet wrote:


This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their 
performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is 
tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again,  
the number of rules has less effect on the performance.

I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the rules 
order but what about the others ? Google didn't give any information one way or the other.
this is going to depend on which firewall you look at, and potentially which release of the software.
ordering the rules by how frequently they are used doesn't hurt performance on systems that do tree-based rules internally, so the only possible thing that you would gain is in the orginization of the rulesets, and I'm not sure that that's enough to worry about trying to keep track of which releases of which firewalls have which behavior. 

David Lang
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: