[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Future OS Base for M0n0wall
 Date:  Thu, 5 May 2005 18:16:03 -0400
On 5/4/05, Scott Nasuta <tcslv at cox dot net> wrote:
> > 5.3 and 5.4 and pfSense are actually slower than m0n0wall and 5.3 by
> > about 900 Kbps on a 4501 (11.4 vs. 10.5 Mbps), and similar percentages
> > on WRAP and 4801.  5.4 brought no improvement over 5.3.  PF does
> > handle more sessions a lot better than ipf though, it seems, though
> > it's extremely unsteady.
> I wonder how "Real World" these throughput results portray. There is
> MUCH more to firewall performance than just throughput test. Latency
> is a big part as is the performance decrease of increasing rules.

Those are just an indicator for comparison purposes.  Here's a real
world test of a 4501.  It's very difficult to do real world tests of
anything faster since you can't max it out with typical internet
bandwidth.  http://chrisbuechler.com/4vs5/
on 4.10, that's not even maxing out the 4501.  5.3 and 5.4 can't push
6 Mb through a 4501.  That's as real world as it gets.  A lot of
people have 4501's, and more than 3-3.5 Mb of bandwidth.

> I know it is old but I am sure you saw the testing done between PF,
> IPF and IPTables? Eliminating IPTables because it is not Stateful, PF
> seemed to better IPF in all the test. Not by knockout numbers but
> better. http://www.benzedrine.cx/pf-paper.html

Too old to be of much use, though actually newer PF versions are
supposed to be faster.  It'd be nice to see newer performance stats.

> > ... Remember m0n0wall is focused towards embedded hardware.
> One thing I like about m0n0. PfSense seems to want to do everything on
> one box. I like the KISS concept when it applies to firewalls. 

No, it wants to give you the option of doing everything if you so
desire.  That's why all the extras aren't in the base system.  If you
want to shoot yourself in the foot, hey go for it.  In certain
environments adding many of those things isn't a problem so long as
you have the hardware to handle it.  The only added risk for the vast
majority of them is on the LAN side, and in a lot of circumstances
people can (or choose to) ignore LAN risks.

> Plus I like how m0n0 can be
> run right from CD allowing me to disconnect HD saving more power. Any
> speed disadvantages of running 100% from memory if HD is available?

m0n0 runs 100% from memory whether you're using CD, HD, or whatever.  

> How come m0n0 still hasn't at least tried to move onto IPFilter 4x
> yet? It is at version 4.1.8 already and surely whatever was holding
> Manuel back is fixed by now?

I think there are still serious issues in getting it compiled on
FreeBSD, though I could be wrong.  Also I seem to hear it's extremely
buggy still.  The version we have now is buggy enough!  FreeBSD hasn't
upgraded the version in the base system, and there must be a good
reason for that.