« Stupid Maxtor Return (RMA) Process | Main | No More Self-Maintained Private Network »

May 24, 2004

What Difference Firewall (ipf) Makes in HTTP Performance?

Getting ready to put a new machine into service with a reconfigured set of ipf rules, wanted to see just how much a difference the firewall made in performance. Seemed like a good time, as nothing else is happening on the machine and could actually get some fairly reliable results.

If I pound on the server with thousands of HTTP requests while ipf is up we're serving out pages at an average of .33 seconds. When I turn off the firewall and make the same set of requests the pages get served in .32 seconds, meaning we are .01 seconds faster without the firewall.

Seems like an agreeable hit for having the firewall up. The latest config changes were to utilize ipf's rule groups, which means packets are seeing a small subset of the rules once ipf determines the direction and service. Each of our machines has several network interfaces, and require ~150 lines of ipf rules (varies depending on the machine's purpose).

Posted by mike at May 24, 2004 6:23 PM