SW firewall speed drop :-(

I have a P4 2.53 Ghz machine with Win XP Pro XP2.

With ZA 6.5 installed my max network speed is 4050/920 kbps.

If I uninstall or try from a PC w/o ZA I get 4971/962 kbps
(I even get that speed when testing using a WLAN connection).

That is a drop of about 20% in the speed.

Is ZA 6.5 causing this?
Is there anything to about this drop?

Are there other versions of ZA that is better?
Newer or older?

Is any other software firewall better?

PS! I know some of you don't like software firewalls :-)
But if I INSIST on having on, what is the fastest??
--
Lars-Erik - http://www.osterud.name - ICQ 7297605
WinXP, Asus P4PE, 2.53GHz, 1GB, MSI 7600GS, SB-Live

Re: SW firewall speed drop :-(

Lars-Erik Østerud <.@.> wrote:
> With ZA 6.5 installed my max network speed is 4050/920 kbps.
>
> If I uninstall or try from a PC w/o ZA I get 4971/962 kbps
> (I even get that speed when testing using a WLAN connection).
>
> That is a drop of about 20% in the speed.
>
> Is ZA 6.5 causing this?

Obviously.

> Is there anything to about this drop?

Remove ZA.

> Are there other versions of ZA that is better?
> Newer or older?

Probably not.

> Is any other software firewall better?

Some may do slightly better, others may do worse, maybe you can even get
ZA to give better results by tuning the config. However, all of them
will slow down your connection at least to some extent, because they
need to inspect the packets, which requires system resources.

> PS! I know some of you don't like software firewalls :-)
> But if I INSIST on having on, what is the fastest??

If you have Windows XP: the Windows-Firewall.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> I have a P4 2.53 Ghz machine with Win XP Pro XP2.
>
> With ZA 6.5 installed my max network speed is 4050/920 kbps.
>
> If I uninstall or try from a PC w/o ZA I get 4971/962 kbps
> (I even get that speed when testing using a WLAN connection).
>
> That is a drop of about 20% in the speed.


Congratulations!

> Is ZA 6.5 causing this?


Well, seems so.

> Is there anything to about this drop?


What should there be about it? Obviously works as expected and designed.


> Are there other versions of ZA that is better?
> Newer or older?
> Is any other software firewall better?


Since the amount of network fuckup is indeterministic, one cannot compare
easily.

> PS! I know some of you don't like software firewalls :-)
> But if I INSIST on having on, what is the fastest??


Hm? I thought your goal was to slow down the network and the computer,
that's what these kind of software is supposed to achieve.
If you want a fast network, you simply shouldn't install network fuckup
software.

Re: SW firewall speed drop :-(

> If you have Windows XP: the Windows-Firewall.

But that can't check outgoing programs?
And won't add anything to the HW FW at all, or?

BTW: Found an even worse network hog. The avast! Web Shield
Turned it off and the speed raised from 4000 to 4600

Still can't understand why my desktop PC maxes at 4600
(even with ALL AV and FW software uninstalled) when my
older slower laptop easily gets 5000. What could it be?
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud <.@.> wrote:
>> If you have Windows XP: the Windows-Firewall.
>
> But that can't check outgoing programs?

Of course not. That would be pointless anyway.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

>> If you have Windows XP: the Windows-Firewall.
>
> But that can't check outgoing programs?


Why should it? Aside from passively opening ports, where this is quite
reasonable.

> And won't add anything to the HW FW at all, or?


Hm? It's a quite good host-based packet filter, which is a quite good
addition to the HW FW that you most likely don't have at all.

> BTW: Found an even worse network hog. The avast! Web Shield
> Turned it off and the speed raised from 4000 to 4600


Worse? Seems like it did its job quite well: hogging the network.

> Still can't understand why my desktop PC maxes at 4600
> (even with ALL AV and FW software uninstalled) when my
> older slower laptop easily gets 5000. What could it be?


Ehm... because you totally messed it up with the mentioned software? Because
we can't assume that it properly uninstalled?

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> Ehm... because you totally messed it up with the mentioned software? Because
> we can't assume that it properly uninstalled?

Oh it's gone, no traces (even searched for and deleted all ZoneLab
files, easy to find). So I don't really think that is the problem.

Need to try a new network cable, and maybe another network card .-)
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Found IT !!!!

I compared all settings on the two computers, and noticed some
services running on mine and not on the other.

So I tested one at a time, and when I disabled the "DNS Client" (local
caching of DNS entries) the speed went from 4600 and up to 4970 kpbs.

But why should the DNS client have this huge bad impact on the speed?
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:
> Found IT !!!!
>
> So I tested one at a time, and when I disabled the "DNS Client" (local
> caching of DNS entries) the speed went from 4600 and up to 4970 kpbs.
>
makes no sense,
enabled local dns cache should obviously speed up your surfing experience.
i think that was a coincidence, keep testing......

M

Re: SW firewall speed drop :-(

Ansgar -59cobalt- Wiechers wrote:
> Lars-Erik Østerud <.@.> wrote:
>>> If you have Windows XP: the Windows-Firewall.
>> But that can't check outgoing programs?
>
> Of course not. That would be pointless anyway.

why ?

>
> cu
> 59cobalt

Re: SW firewall speed drop :-(

mak wrote:

> enabled local dns cache should obviously speed up your surfing experience.
> i think that was a coincidence, keep testing......

Well, if you access the SAME server it could. But for new DNS
addresses it would take (teoretically) a bit longer (must check local
DND first).

Anyway, forund out that DNC client is slower than NO DNS client if
there are many entries in the HOSTS file for some reason :-/
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:


> Anyway, forund out that DNC client is slower than NO DNS client if
> there are many entries in the HOSTS file for some reason :-/


For some reason? The HOSTS file normally contains only one entry...

Re: SW firewall speed drop :-(

> > Anyway, forund out that DNC client is slower than NO DNS client if
> > there are many entries in the HOSTS file for some reason :-/
>
> For some reason? The HOSTS file normally contains only one entry...

Yep, but why does a HUGE hosts file cause a slowdown only when DNS
Client is running, not without? One should think that the hosts file
needed to be parsed even when the DNC Client is not running?

Some anti ad-ware adds "fake" entries to the hosts file. That prevents
accessing those sites from a web-browser (and also blocks cookies,
scripts, activexes etc from those sites). But slows down with DND
Client running for some reason (no slowdown without DNS Client).

More reading here:

Also,please see the note under the heading Block Spyware/Ad Networks
on this page,it has an explanation of why the slowdown can sometimes
occur:
http://www.bleepingcomputer.com/tutorials/tutorial51.html

There is also info about disabling dns client service on this
page,with a note about it being intended for home users:
http://www.mvps.org/winhelp2002/hosts.htm
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

>>> Anyway, forund out that DNC client is slower than NO DNS client if
>>> there are many entries in the HOSTS file for some reason :-/
>> For some reason? The HOSTS file normally contains only one entry...
>
> Yep, but why does a HUGE hosts file cause a slowdown only when DNS
> Client is running, not without?


Because no one ever considered testing such a case?

> One should think that the hosts file
> needed to be parsed even when the DNC Client is not running?


It gets parsed only once. It's the lookup time that goes up when combining
it with the caching.

> Some anti ad-ware adds "fake" entries to the hosts file. That prevents
> accessing those sites from a web-browser (and also blocks cookies,
> scripts, activexes etc from those sites).


And doesn't prevent it from accessing any site whose hostname just slightly
differs from the listed one. Now, as a badguy, I'd simply let resolve
*.malware.org to the same address and use a randomly generated subdomain.
That's why this approach is so utterly stupid: It simply doesn't work.

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> It gets parsed only once. It's the lookup time that goes up when combining
> it with the caching.

But why doesn't the lookup time go up with the DNS client disabled?
The "hosts" files is still searched (entries in it still does work).

I find it strange that lookup is slower WITH the DNS client. Weird.
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

goarilla <"kevin DOT paulus AT skynet DOT be"> wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Lars-Erik Østerud <.@.> wrote:
>>>> If you have Windows XP: the Windows-Firewall.
>>>
>>> But that can't check outgoing programs?
>>
>> Of course not. That would be pointless anyway.
>
> why ?

Because firewalls can't do that reliably. Whatever Malware you're trying
to stop from communicating: it's already running and can thus bypass
your measures. The only way to reliably stop malware from communicating
is to stop it from being run in the first place. Which is done by
Software Restriction Policies or AV software, not personal firewalls.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> Sebastian G. wrote:
>
>> It gets parsed only once. It's the lookup time that goes up when combining
>> it with the caching.
>
> But why doesn't the lookup time go up with the DNS client disabled?
> The "hosts" files is still searched (entries in it still does work).
>
> I find it strange that lookup is slower WITH the DNS client. Weird.


That's not weird at all. Just think through what the DNS client does when it
receives a request from a program:

1. look it up in the HOSTS lists. If found, return the entry.
2. look it up in the cache. If found, return the entry.
3. query the primary DNS resolver for the entry
4. return the entry
5. if the reply was recursive or redirected, check if the entry isn't
already on the HOSTS list
6. store the entry it in the cache

Without the caching:

1. look it up in the HOSTS lists. If found, return the entry.
2. query the primary DNS resolver for the entry
3. return the entry

As you can see, for some code pathes the computitional effort for finding an
entry is bigger with caching.

Going through a large HOSTS file is essentially implemented as a linear list
search. One could do better, but it's not optimized for the scenario BECAUSE
ONLY IDIOTS ABUSE THE HOSTS FILE FOR SOMETHING THAT SHOULD BE DONE WITHIN
THE APPLICATION OR AT LEAST AT A PROPER PACKET FILTER.

Re: SW firewall speed drop :-(

Ansgar -59cobalt- Wiechers wrote:

> Of course not. That would be pointless anyway.
>
> cu
> 59cobalt

If it's completely pointless then why did Mircosoft implement the
ability to block outgoing progs in Vista?

Re: SW firewall speed drop :-(

John Adams wrote:

> Ansgar -59cobalt- Wiechers wrote:
>
>> Of course not. That would be pointless anyway.
>>
>> cu
>> 59cobalt
>
> If it's completely pointless then why did Mircosoft implement the
> ability to block outgoing progs in Vista?

For the sake of completeness, not for security.

And, of course, because users demand it. Microsoft is a corporation, and
thus their primary purpose is to make money. Even further, their official
corporation motto is "Writing software for making money". Thus, it's their
best interests to keep user happy by implementing their suggestions even
though they're actually futile, particularly stupid and even pissing off
some professional users (like f.e. crippling Raw Sockets on XP SP2, which
forced the WinPCap team to use the legacy Win98 sockets support code path
for XPSP2).

Re: SW firewall speed drop :-(

Sebastian G. wrote:
>It simply
> doesn't work.

Works for me. I get loads of ads blocked thanks to my hosts file. It's
not just to help block malware.

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> Going through a large HOSTS file is essentially implemented as a linear
> list search. One could do better, but it's not optimized for the
> scenario BECAUSE ONLY IDIOTS ABUSE THE HOSTS FILE FOR SOMETHING THAT
> SHOULD BE DONE WITHIN THE APPLICATION OR AT LEAST AT A PROPER PACKET
> FILTER.

I do it at the application level too but the hosts file is a fallback.
What is a "proper" packet filter? Being an idiot is more fun than being
an arrogant kraut fuckwit.

Re: SW firewall speed drop :-(

John Adams wrote:

> Sebastian G. wrote:
>> It simply
>> doesn't work.
>
> Works for me. I get loads of ads blocked thanks to my hosts file. It's
> not just to help block malware.


Strange, I do that at my webbrowser without requiring any DNS manipulation
and/or other administrative tasks, without clooging the logfile of my
webserver running at 127.0.0.1, and due to regular expressions it's surely
more effective. Even further, other applications are not influenced.

BTW, it doesn't work well for ads for the same reason why it doesn't work
for malware: DNS wildcards.

Re: SW firewall speed drop :-(

John Adams wrote:


> I do it at the application level too but the hosts file is a fallback.


What part of the word "abuse" didn't you understand?

> What is a "proper" packet filter?


One that allows filtering by netranges and resolves DNS names?

Re: SW firewall speed drop :-(

John Adams wrote:
> Ansgar -59cobalt- Wiechers wrote:
>> Of course not. That would be pointless anyway.
>
> If it's completely pointless then why did Mircosoft implement the
> ability to block outgoing progs in Vista?

Popular demand.

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Re: SW firewall speed drop :-(

John Adams wrote:

> Works for me. I get loads of ads blocked thanks to my hosts file. It's
> not just to help block malware.

For ad-blocking nothing beats WebWasher.
And it works as a proxy (the right way?)
Preventing ads from ever beeing downloaded
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> BTW, it doesn't work well for ads for the same reason why it doesn't work
> for malware: DNS wildcards.

Then again. Filters like WebWasher filter on PARTS of the URL. Neat.
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:


> For ad-blocking nothing beats WebWasher.


With respect to interfering with proper functionality? I'd actually believe you.

> And it works as a proxy (the right way?)


The worst way, since it must use store & forward, therefore breaks
pipelining. The mentioned software products also breaks compression and E-Tag.

> Preventing ads from ever being downloaded


Uh, oh, that's really special. Unless you consider almost any
content-blocking extension for the Mozilla platform under the sun.

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> Sebastian G. wrote:
>
>> BTW, it doesn't work well for ads for the same reason why it doesn't work
>> for malware: DNS wildcards.
>
> Then again. Filters like WebWasher filter on PARTS of the URL. Neat.


Adblock Plus doesn't even need any additional programs, and it has a huge
performance advantage due to the available DOM content.

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> Adblock Plus doesn't even need any additional programs, and it has a huge
> performance advantage due to the available DOM content.

But is it as customisable as WebWasher (parts of URLs, own list,
exceptions)? And does it work both with IE6, IE7, FF and Opera?

Where can I find more info (to test and compare)
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> Uh, oh, that's really special. Unless you consider almost any
> content-blocking extension for the Mozilla platform under the sun.

Sadly I have to use IE6 and IE7 for things (bad applications).
And even though I do that using IE-TAB, it uses the IE enginge.
Will AdBlock work then? How does it filter? Does it remove
images etc before they are fetched (like WebWasher). I like
the speedup not having to waste bandwith on junk....

I guess WebWsher works like this

1) Fetches HTML-code for page
2) Removes all things filters find
3) Forwards HTML-code to browser
4) Browser fetches IMG tags that still are in the code

Of course a litt delay since it need to fetch the HTML, parse it, and
send it to the browser, but it's not noticable at all on my PCs...

How does AdBlock work in comparison, can you explain a bit more?
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> Sebastian G. wrote:
>
>> Uh, oh, that's really special. Unless you consider almost any
>> content-blocking extension for the Mozilla platform under the sun.
>
> Sadly I have to use IE6 and IE7 for things (bad applications).


On the internet? Then discussing this is useless due to the inherent
security issues. A malicious website could and typically does simply install
its very own program code for displaying the advertisement,
bypassing/undermining the proxy.

> Will AdBlock work then? How does it filter? Does it remove
> images etc before they are fetched (like WebWasher).


Exactly.

> Of course a litt delay since it need to fetch the HTML, parse it, and
> send it to the browser, but it's not noticable at all on my PCs...


For me it is, because I have a working HTTP 1.1 Pipelining.

> How does AdBlock work in comparison, can you explain a bit more?

AdBlock has the huge benefit that the browser already does the parsing, so
it can work on the highly optimized (and well standardized) in-memory
presentation.

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> Sebastian G. wrote:
>
>> Adblock Plus doesn't even need any additional programs, and it has a huge
>> performance advantage due to the available DOM content.
>
> But is it as customisable as WebWasher (parts of URLs, own list,
> exceptions)?


Sure.

> And does it work both with IE6, IE7, FF and Opera?


No, it only works for the Mozilla browser series. For Opera, there're also
some extensions available even though it only has a slight filter integrated.
Dunno for IE, and I don't care since they're trivially vulnerable to any
kind of malware which does its own way of displaying ads.

Re: SW firewall speed drop :-(

John Adams wrote:
> If it's completely pointless then why did Mircosoft implement the
> ability to block outgoing progs in Vista?

Because people believe in that nonsense and want to buy that.
Metaphysics in Informatics.

It's just like with raw sockets in Windows XP.

Yours,
VB.
--
"Die Funktionsprinzipien des Rechtsstaates sind den Funktionsprinzipien
des Präventionsstaates entgegengesetzt."
Erhard Denninger
Professor für Öffentliches Recht und Rechtsphilosophie, Uni Frankfurt

Re: SW firewall speed drop :-(

Sebastian G. wrote:

> On the internet? Then discussing this is useless due to the inherent

Well, some sites (MS ones too) doesn't wokr OK with FF.
At work (another issue) lots of web applications require IE :-(
And since the IE core files always are on the system
(and are used by applications for "itegrated" web windows)...

Well, one need to protect as good as possible for IE as well
(WebWasher removes ads inside apps using IE and engine too :-)
--
Lars-Erik - http://www.osterud.name - ICQ 7297605

Re: SW firewall speed drop :-(

Lars-Erik Østerud wrote:

> Sebastian G. wrote:
>
>> On the internet? Then discussing this is useless due to the inherent
>
> Well, some sites (MS ones too) doesn't wokr OK with FF.


Show me one. In contrast I can show you many which wouldn't work with IE.

> At work (another issue) lots of web applications require IE :-(


Web applications are something different than webpages. Of course you might
use any insecure application client as long as you run it over an encrypted
and authenticated connection. That's why Windows Update, at least until
Microsoft broke it with version 6, is not a security problem.

> And since the IE core files always are on the system
> (and are used by applications for "itegrated" web windows)...


that's a serious problem. But well, we already know that.

> Well, one need to protect as good as possible for IE as well


There is no even partially tangible protection for IE, by design.