New firewall test site

What kind of load may I ask? I have 45 PCs on LAN client at my univ and there is no bog down there by any means. Are you telling me that you see throughput dropping under CHX?

 

It causes Windows to lag out badly, keyboard and mouse stop responding too.
Till I stop the flood.

 

Strange, in my case, Win2K Pro never lags with any heavy use, using ZAP and other firewalls for a long period does cause the system response to slow up when using P2P etc.

 

Hi,

I also fail to see the problem with CHX-I under heavy load. As we run more then 1000 computers in our Government infrastructre and are target of frequent solicitation and or attack probes of all sort. Most machines are running Win2k or WinXP Pro SP2 install with antivirus and all the fuss network security infrastructure should have. Now if you configure CHX-I as you should and not out of the box you shouldn't have any problems. We run a dedicated OC line for the building and we host various IT and GOV website on multiples servers and I have never seen CHX-I crap out the way you say it did. Now... I'm sure our traffic output beats the hell out of whatever test you ran and I would like to know the test condition and please no bull. Stefan_R from CHX-I is watching.

Regards,
fluxgfx.com

 

Well I have hping2 running on freebsd flooding windows xp with chx-i running. It sends out 9,999 byte packets every 1ms and sends chx-i into a race condition, causing things like keyboard and mouse to stop responding till flood is stopped. Exact hping2 commands used are on the front page of the site. Have you tried the same method FluxGFX

 

Hi Piolyte,

I have tried the suggested hping2 from an outside sources and from an internal source. I have yet to see any slowdown on any of the main server entrance and or user desktop performance. I'll try to reproduce your conditions later in the day. As of now no slow detected in the last 1hr or running this for total of 7.8GB of bandwidth to hit the systems. Overhaul network spike les then 2.1%

Regards,
fluxgfx.com

 

Hi,
Suggestions:
Explain what each item means - your average user will be alarmed by some many fails - without really knowing what these are and how serious they are.
More info on the tests themselves - how, why, where.
Mrk

 

I agree.

 

Your right, I need to to rewrite parts of the site.
Thanks for the feedback

 

As I have stated before - it would be of great help to those who are trying to reproduce your tests if you can actually post the configuration of the packet filter: state options, static filters, state timeouts, etc.

What is important here is that you may help us improve the driver if we know the details of your test. Posting results is irrelevant unless me meet the same test criteria.

I am also curious as to how exactly did the pf pass your application to network awareness test.

Best Regards,

Stefan

 

New CHX-I page up. Thinking back I actually had a file system error while flooding CHX-I. But retested on a fresh load of windows and it actually ran smoothly this time round. Sometimes I really hate windows when it decides to behave badly under the hud, causing things like CHX-I to cause file system errors. I actually ran the test multiple times to confirm it wasn't just a one off either.

 

Much obliged for the effort.

However - it is not a positive result for chx I am looking after...Any third party testing is more than welcome - and I am sure there are thousands of things that need to be improved on our driver quality.

I still insist that the pf should fail the application to network awareness - unless I am failing miserably at understanding the nature of that test.

Also - you should still post the actual configuration of the pf during testing(for validation purposes).

Best regards,

Stefan

 

Moreover:

Does the firewall detect and ignore fixed source ports (wrong choice of words again )?

nmap -sS -g xx is a trivial test for a properly configured chxpf box.

Activate TCP state on and add one single static filter: Allow TCP(!SYN)



Regards,

Stefan

 

As I suspected, CHX never faltered on my system or the super loaded high volume traffic system at the univ.

 

Done, check page again.

 

Seems it does faulter for me under a specific config shown on updated page.

 

Well yours seem to be an exceptional case which doesn't establish the rule by any chance. Every other test system with CHX passes with flying colors and it beats all the other firewalls listed at your page in terms of load and high traffic handling.

 

Arup,

The tester shows the config at:

http://www.firewall-test.net/chxi/index.html

The "load test" fails when the only thing enabled is "deny frag pckts".

Now that the configs are listed anyone can draw their own conclusions and/or reproduce the results.

Best Regards,

Stefan

 

I totally understand, but deny all frag incoming packets is an option which is never needed under any normal circumstance, never had to check it myself when running it under server environment or home.

 

It would be nice if others did these tests on their systems, to form an idea of how it works for them.

Also stefan, whats the status on version 3.0 still beta or near release?

 

Then you'll be fine.

 

It is a stable beta.


Regards,

Stefan

 

First, you have to have a better information about the test you made on your site.
Second, try to know better the features of each firewall you test.
Third, describe what are the configurations, of each firewall, used on that tests.
Fourth, and the most important, improve your acknowledge about firewalls!

Hope this can help you on something...

Regards

 

Well i'm sure nobody is perfect, but it's clear to me Piolyte knows far more about networking and firewalls than you, VC!

 

I'm not a network expert and never said that was, but it's very simple to see that these tests are very incomplete and wrong made, and what you know about my acknowledge about networks!?

We aren't talked about me but about the tester and its website!

Hope you can understand that...