"Daniel Hartmeier" wrote: > > I think most people (falsely) assume that filtering statelessly is > faster with their rule sets. Even simple real-life filter policies put > create less load on the firewall when state is being kept. Just to corroborate: I agree 100% with this. In my experience (our stuff), ruleset lookup hits on stateless packet forwarding rules at the _very top_ of the ruleset is comparable to keeping state. Anything below the very top will start showing differences, and for someone that needs "maximum throughput", hits on rules 100+ can be "painful". We should have PDFs that show the exact ratios for our gear lying around here somewhere, but people have left for the day and I can't seem to find them. :/ Of course, there's also the issue of establishing new sessions. If you're opening and tearing down sessions at a fearful ratio (tens of thousands of states per second), you might be better off (if security allows it) to have maybe a dozen or so stateless packet packet forwarding rules at the top of the ruleset. Of course, with stateless filtering rules, you'll lose things like: - SYN flood protection - TCP ISN randomization - LOGGING! -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com "Senex semper diu dormit" _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 09:36:34 PDT