Firewall Wizards: Firewall rules order and performance

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Firewall rules order and performance

From: Pierre Blanchet <pierre.blanchet () exaprotect com>
Date: Fri, 17 Jul 2009 16:51:48 +0200

This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their 
performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is 
tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again,  
the number of rules has less effect on the performance.

I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the 
rules order but what about the others ? Google didn't give any information one way or the other.

--
Pierre Blanchet
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Firewall rules order and performance Pierre Blanchet (Jul 17)
- Re: Firewall rules order and performance Carson Gaspar (Jul 21)
- Re: Firewall rules order and performance david (Jul 21)
- Re: Firewall rules order and performance lordchariot (Jul 21)
  - Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
    - Re: Firewall rules order and performance Jean-Denis Gorin (Jul 28)