tech-net: Re: Overhead of stateful packet filtering

Subject: Re: Overhead of stateful packet filtering
To: None <tech-net@NetBSD.org>
From: Henning Brauer <hb-netbsd-tech-net@bsws.de>
List: tech-net
Date: 08/20/2005 14:12:25 
* Matthias Scheler <tron@zhadum.de> [2005年08月20日 13:59]:
> I'm considering to reconfigure my firewall (NetBSD 3.0_BETA, PF) to use
> stateful packet filtering. But I'm concerned about the overhead caused
> by that.
there is no overhead - it is faster than stateless filtering, since 
state lookups are way faster than ruleset evaluations.
> Stateful packet filtering means that it has to keep track of every
> connection routed through it. I therefore wonder how much CPU time
> and memory PF needs for that per connection.
as said, it saves CPU power. for memory, well, the rule of thumb is 
something like 1000 states per MB of RAM in the machine.
-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...

AltStyle によって変換されたページ (->オリジナル) /