[luau] Open Source Firewall comparison

MonMotha monmotha at indy.rr.com
Wed Jun 19 15:18:01 PDT 2002 

Quothe the article: "Iptables has not been included in this benchmark 
because it does not do stateful filtering comparable to pf and IPFilter. 
The version of iptables that we tested employs connection tracking 
without any sequence number analysis for packets outside of the initial 
TCP handshake. While this is unsurprisingly faster, it would be an 
unfair performance comparison. There is a patch for iptables that adds 
sequence number checking, but it is still beta and is not included in 
the GNU/Linux distribution used for testing."

Iptables is stateful (if you use the state match of course), but not in 
the same way as pf/ipf.  Since they couldn't perform a fair comparison 
(iptables would have been MUCH faster than ipf/pf, as they stated, but 
doesn't track all sequence numbers), they decided not to include it. 
This is fair reporting, nothing more.

As they note, there is a patch to make it do things more like pf/ipf, 
and it is the patch you refer to: "'Real Stateful TCP Packet Filtering 
in IP Filter' by Guido van Rooij".  The paper is available at 
http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz.  I haven't 
used the patch personally on any "production" systems, but I've talked 
with people who have and they say it seems to work fine.  The 
patch-o-matic lists the status of the patch as "proven to be quite 
stable, but still experimental".  This is the experimental/beta nature 
the article refers to.  I don't see a date on the article (there's 
probably one there; I just don't see it), so the status may have been 
even more experimental when they did the testing for the report.

Hope this helps.

--MonMotha

Dustin Cross wrote:
> I was just reading an article comparing the performance of opensource
> firewalls (IPtables, IPfilter, and PF).  There is some interesting
> information in it.
> 
> http://www.benzedrine.cx/pf-paper.html
> 
> IPtables was the best performing stateless firewall, but was not tested for
> stateful packet inspection, because "it does not perform proper state
> tracking".  This was news to me.  I was wondering if anyone on the list had
> some insite on this?
> 
> I did some reading at http://www.iptables.org/ and found that there is a
> patch that "allows netfilter do TCP connection tracking according to the
> article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij.
> It supports window scaling, and can now handle already established
> connections."
> 
> Here is a link the paper they refer to:
> http://www.usenix.org/events/sec01/invitedtalks/rooij.pdf
> 
> 
> 
> 
> _______________________________________________
> LUAU mailing list
> LUAU at videl.ics.hawaii.edu
> http://videl.ics.hawaii.edu/mailman/listinfo/luau
>

More information about the LUAU mailing list