[fw-wiz] Firewall rules order and performance
- From: Pierre Blanchet <pierre.blanchet@xxxxxxxxxxxxxx>
- Date: Fri, 17 Jul 2009 16:51:48 +0200
This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again, the number of rules has less effect on the performance.
I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the rules order but what about the others ? Google didn't give any information one way or the other.
firewall-wizards mailing list