[Forwarded with Daniel's permission] I'm all in favor of real data, especially when it overrides dogma. In this case, I'm guilty of just accepting the dogma that packet filtering rules and state table rules should take about as long to go through as one another and therefore it's a numbers game. Daniel's data says (at least for the test set) otherwise. This is much more interesting to me than the usual "performance" test conversations that come up around firewalls. Paul ---------- Forwarded message ---------- Date: Wed, 16 Oct 2002 16:27:19 +0200 From: Daniel Hartmeier <danielat_private> To: Paul D. Robertson <probertsat_private> Subject: Re: [fw-wiz] CERT vulnerability note VU# 539363 [ Answering this off-list, as I don't want to shamelessly advocate. ] On Wed, Oct 16, 2002 at 10:23:08AM -0400, Paul D. Robertson wrote: > > Keeping state can have performance benefits. Depending on your rule set, > > associating a packet with a state entry is cheaper than evaluating the > > rules. Keeping state does not 'just' increase the quality of filter > > decisions. > > Ok, I can see that if you're handling less stateful entries than you have > rules, but with good rule ordering, or a busy site, I'm not sure it's a > gimme. Do you have any way to measure which is better, or threashold > information? No, the surprising thing in my benchmarks was that the ratio is much different. Filtering statefully with 50000 states is cheaper than evaluating even 100 rules for each packet, at least in the packet filters I measured: http://www.benzedrine.cx/pf-paper.html. I think most people (falsely) assume that filtering statelessly is faster with their rule sets. Even simple real-life filter policies put create less load on the firewall when state is being kept. Daniel _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 08:19:21 PDT