On Wed, 16 Oct 2002, Mikael Olsson wrote: > In my experience (our stuff), ruleset lookup hits on stateless packet > forwarding rules at the _very top_ of the ruleset is comparable to > keeping state. Hmmm, is this because "normal" rules aren't optimized or hashed, but state tables were kind of pre-assumed to be a performance issue, and therefore given performance attention at the design stage? Maybe it's just because the state information is easy to do a boolean comparison on? > Of course, there's also the issue of establishing new sessions. > If you're opening and tearing down sessions at a fearful ratio > (tens of thousands of states per second), you might be better off > (if security allows it) to have maybe a dozen or so stateless > packet packet forwarding rules at the top of the ruleset. Have any kind of feel for where the line is? Daniel's 5000 to 100 mention has me wondering if we can codify the sorts of places where this can be an easy performance win for folks who are in high utilization scenerios. > Of course, with stateless filtering rules, you'll lose things like: > - SYN flood protection > - TCP ISN randomization > - LOGGING! Why can't I log stateless rules? It's worked on every filtering router and packet filter I've personally used- am I missing something significant here? > "Senex semper diu dormit" Semtex semper *boom*[1] Paul [1] We had a dearth of gameshow sounds in this thread ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions probertsat_private which may have no basis whatsoever in fact." probertsonat_private Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizardsat_private http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
This archive was generated by hypermail 2b30 : Wed Oct 16 2002 - 09:53:22 PDT