[Asterisk-Users] will a firewall slow down asterisk?

Kristian Kielhofner kris at krisk.org
Wed Aug 10 09:21:01 MST 2005 

Storm D. J. Petersen wrote:
> Any network device (ie: switch, router, firewall) will add a small amount of
> latency.  To test the latency your firewall adds, you could simply try to do
> a ping www.google.com, directly in front and behind the firewall, and look
> at the ms response times.
> 
> Cheers,
> 
> S.

S.

	This is true!  However, pinging www.google.com is really not very good 
from a testing perspective.  They use Akamai, and they employ all kinds 
of tricks to speed up response time and increase availability.

dig www.google.com:

;; ANSWER SECTION:
www.google.com.         900     IN      CNAME   www.l.google.com.
www.l.google.com.       202     IN      A       64.233.161.99
www.l.google.com.       202     IN      A       64.233.161.104
www.l.google.com.       202     IN      A       64.233.161.147


	So here Google has three possible IP's (they are on the same network, 
but still)...

	Find the IP address of a solid reliable server or router at an ISP near 
you.  Always ping by IP when testing!

	Back to the original point, a firewall will add latency.  However, it 
depends a lot on the firewall software, underlying hardware, and 
configuration.  Most hardware these days is more than sufficient for 
decent firewall software, and most firewall software is decent. 
iptables, pf, ipf are all excellent open source solutions.  As far as 
proprietary software/hardware, I haven't found one that I have liked so far!

	The ordering of rules is the most important.  For stateful firewalls, 
allow connections that match an existing state as one of your first 
rules.  That way, incoming connections only have to traverse the entire 
firewall rule set on the first packet, and not for each subsequent 
packet.  That will speed things up significantly.

	Also, order your rules so that the most latency sensitive and often 
requested services are first.  So, in your case, put 
IAX2/SIP/H323/whatever traffic right after the "stateful accept" rule 
from above.

	Of course, if you are talking about using a dumb Linksys/etc router, 
you probably don't have much choice.  Just hope that they configured 
"the guts" properly!

-- 
Kristian Kielhofner

More information about the asterisk-users mailing list