So after looking into performance, I've began to wonder about my current design of my firewall built from Gentoo Linux. The current design is a PHP configuration backend (from now on refered to as Backend) that serves as a control center for all the config tasks that we need. It accepts connections through Soap over https (I'm looking into more secure methods). The soap server itself, when profiled during a login request completed execution in ~355ms and the Frontend (For now we are refering to the web control panel in a chrooted environment) completed execution in ~800ms. Roughly ~300ms was lost during the soap call, which leaves the ~200ms the Frontend uses to load classes.

As you can see this adds up to a lot of time lost compared to a single configuration daemon and web interface which runs at about ~500ms. The problem is that we are designing this to also run on standard pc hardware as most people will not have a nice server available. While the Backend and Frontend method will provide enhanced security and the code separation is nice, I am worried about the performance impact when it scales.

This type of design is used by several other firewall linux distros like astaro, which uses an xmlrpc backend and a perl-based frontend. It also looks like same design is proposed in the ipcop roadmap.

So the question is, is this design feasible? Should the Backend and Frontend be combined?

__________________
Zym Framework - A Zend Framework extension library w/ demo app

SpotSec Blog:
http://spotsec.com/blog