Go Back   DaemonForums > OpenBSD > OpenBSD Security

OpenBSD Security Functionally paranoid!

Thread Tools Display Modes
  #1   (View Single Post)  
Old 15th August 2011
Vauteck Vauteck is offline
New User
Join Date: Aug 2011
Posts: 1
Default PF sessions/s rate evaluation

Hello everyone,

I'm currently a master degree student, and I'd like to benchmark packet filter over the number of tcp sessions per seconds it can handle.

So I've got a very basic setup working, consisting of one server running OpenBSD 4.9 with PF (acting as firewall-router), and 2 PC's running Linux, acting respectively as client and webserver (running apache2 for the last).

Basically, the client spams standard HTTP requests to the server via the firewall using a basic HTTP injector tool and evaluates the number of sucessful processed requests per seconds.

As one can expect, there is an inverse relationship between the number of sessions/s a firewall can sustain and the size of the object of the request. To achieve maximum throughput, you've got to request big size objects (i.e 50KB or more), whereas to achieve maximum sessions rate per second, you've got to make requests with 0 size objects.

Prior to this, I've run some tests with a Linux firewall running iptables, and I've come up with an average rate of 11300 sessions/s for 0 size objects (straight up results, no tweaks or improvements made).

Moving on to the OpenBSD tests, I only achieved an average rate of 7000 sessions/s for 0 size object (starting up at 8000, slowly decreasing to 7000 - 6500 ...), which is way above the linux/iptables average rate . I then tried to make some tweaks in /etc/sysctl.conf, but no improvement so far. The ruleset I use is the following (copied from the OpenBSD pf tutorial) :

set block-policy drop
pass out quick
pass in on $WAN inet proto tcp port 80 rdr-to $HTTP_SERVER_IP
pass in inet proto icmp all
pass in on $LAN.

So I come here now to know whether you guys have any idea what sort of tweaks I could try to significantly enhance the number of tcp sessions per seconds processed by PF. I'm kind of a PF newbie, so I'm clueless for the moment . Any hints, thoughts or ideas is appreciated !
Reply With Quote
  #2   (View Single Post)  
Old 16th August 2011
jggimi's Avatar
jggimi jggimi is offline
More noise than signal
Join Date: May 2008
Location: USA
Posts: 6,354

You will want to ask this question on the PF mailing list. It is likely you will get your best answers there. This is a very small community of users, here.

I would wonder if rdr-to forces traffic normalization, but that is just conjecture.

Last edited by jggimi; 16th August 2011 at 10:14 AM.
Reply With Quote

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
openBSD4.4 + Chrooted apache1.3 + php5 + sessions wolf3d OpenBSD Packages and Ports 1 2nd July 2009 11:07 AM
DragonFly BSD evaluation Graaf_van_Vlaanderen Other BSD and UNIX/UNIX-like 6 7th April 2009 06:26 AM
transfer rate zomo OpenBSD General 7 26th January 2009 03:00 AM
OpenBSD 4.4 and refresh rate 75 mfaridi OpenBSD Installation and Upgrading 8 12th November 2008 12:05 PM
URL evaluation tools to determine if serving malware dk_netsvil Off-Topic 0 30th June 2008 04:55 PM

All times are GMT. The time now is 02:50 AM.

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2018, Jelsoft Enterprises Ltd.
Content copyright © 2007-2010, the authors
Daemon image copyright ©1988, Marshall Kirk McKusick