impact of disabling firewall on performance?
h bagade
bagadeh at gmail.com
Wed Sep 18 09:35:20 UTC 2013
On Wed, Sep 18, 2013 at 1:48 PM, Luigi Rizzo <rizzo at iet.unipi.it> wrote:
>
>
>
> On Wed, Sep 18, 2013 at 10:07 AM, Ian Smith <smithi at nimnet.asn.au> wrote:
>
>> On Wed, 18 Sep 2013 12:00:30 +0430, h bagade wrote:
>> > Hi all,
>> >
>> > I've heard that disabling firewall with commands or setting related
>> sysctl
>> > parameter wouldn't increase performance and still firewalls
>> participate in
>> > forwarding process. The only way to reach a better performance is
>> making
>> > firewall modules to being loaded dynamically and thereafter unloading
>> > firewall modules!
>>
>> Where exactly did you hear that?
>>
>> > I want to know is it right? and if so, why it should be like this?
>>
>> The difference between not invoking a firewall at all and invoking one
>> with a single 'pass all' rule would be fairly difficult to measure per
>> packet. If your firewall is a bottleneck you likely have larger issues.
>>
>
> well...
> unloading or disabling the firewall with a sysctl is likely
> exactly the same in terms of performance -- it's just
> something like
>
> if (firewall_loaded || firewall_enabled) {
> invoke_firewall(...);
> }
>
> However, executing the firewall with a single pass rule consumes
> some significant amount of time, see
> http://info.iet.unipi.it/~luigi/papers/20091201-dummynet.pdf
> (those numbers are from 2009 and i measured about 400ns;
> recent measurements with ipfw-over-netmap on a fast i7
> give about 100ns per packet).
>
> This is definitely measurable.
>
> cheers
> luigi
>
>
Thank you a lot for your great help.
Now I am sure that just disabling firewall is enough and there is no need
to unload the module.
More information about the freebsd-net
mailing list