Re: [fw-wiz] Firewall rules order and performance

On Fri, 17 Jul 2009, Pierre Blanchet wrote:

This is a well known idea that the rules order is important for the best performance of a firewall. However, nowadays:
1. Stateful firewalls use their stateful engine for existing connections to allow traffic. That means that their performance is more related to the number of existing sessions rather than the number of rules, or more exactly it is tied to the ratio new/existing sessions.
2. Some firewalls no longer parse the configuration line by line but use hardware-based or tree-based model. Again, the number of rules has less effect on the performance.

I'm looking for benchmarks/ideas that could prove I'm right or wrong. I know for sure that FW-1 and IOS depend on the rules order but what about the others ? Google didn't give any information one way or the other.

this is going to depend on which firewall you look at, and potentially which release of the software.

ordering the rules by how frequently they are used doesn't hurt performance on systems that do tree-based rules internally, so the only possible thing that you would gain is in the orginization of the rulesets, and I'm not sure that that's enough to worry about trying to keep track of which releases of which firewalls have which behavior.

David Lang
firewall-wizards mailing list

Relevant Pages

  • Re: Host-Base Firewall
    ... Firewalls do need to be configured properly and most of them aren't as Jon mentioned. ... There are significant differences between a Penetration Test, Vulnerability Assessment and a Web Application Assessment. ... A Vulnerability Assessment is similar in that it will identify potentially exploitable vulnerabilities in your infrastructure, but it will not actually exploit those vulnerabilities. ... configuration, and the configuration is only worth ...
  • Re: netlogon to domain for clients at branch office w/o DC
    ... This configuration should be simple over a T1/VPN. ... built-in filters or firewalls. ... the client machines all have DC as theri primary DNS. ... >> Doug Sherman ...
  • RE: PIX with no rules
    ... Most firewalls today are configured default to deny all connections ... > They all requires specific configuration for initial use. ... > Specially PIX. ... > to Internet email for messages of this kind. ...
  • Re: SCO 5.0.7 AS FIREWALL
    ... the neighbors dog - we all make mistakes. ... Sounds like security through complexity. ... IDS firewalls are a good idea as they provide the necessary logs to ... for initial configuration. ...
  • Re: Firewall and Home Network
    ... and with minimal configuration hassle to boot! ... > Most of the personal firewalls are too difficult to configure and use ... > properly by the average home user but hopefully this will change in the ... >> The other good reason for installing a desktop firewall is to manage ...