[KLUG Members] Re: Broadband firewalls --

Peter Buxton members@kalamazoolinux.org
Sun, 8 Dec 2002 15:35:14 -0500

Previous message: [KLUG Members] Re: Broadband firewalls -- [continued] flawed logic and analysis ...
Next message: [KLUG Members] Re: Broadband firewalls -- flawed logic and analysis ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

--YZ5djTAD1cGYuMQK
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

On Sat, Dec 07, 2002 at 10:52:20PM -0500, Bryan J. Smith wrote:

> That's not "stateful."  "Stateful" means it can inter-relate packets of
> different connections, not just change a single connection stream
> between two hosts.
>=20
> "Stateful" requires lots of memory, CPU and coding to maintain.  Orders
> of magnitude more than stateless.

Taken from http://www.benzedrine.cx/kerneltrap.html , this was, as you
might guess, originally on KernelTrap, but I am unable to find it there,
so:

Interview with OpenBSD's pf author:

JA: How does pf performance compare to other stateful packet filters?

Daniel Hartmeier: In the benchmarks I did and based on the feedback from
people who compared pf with other filters on production machines, very
well, often significantly better. In particular, we found that keeping
state on all connections scales well and is faster than stateless rule
evaluation.

JA: Are any of these benchmarks available online?

Daniel Hartmeier: Yes, they were done as part of a Usenix paper which
you can find at http://www.benzedrine.cx/pf-paper.html

The most important, and possibly surprising conclusion was that state
lookups are far more efficient than rule set evaluations, and keeping
state, apart from simplifying rule sets and improving filtering
decisions, does improve performance. Anyone who is filtering statelessly
based on the assumption that keeping state is too expensive might find
this very interesting.=20

--=20
for gpg key: http://killdevil.org/~peter
[The Basement Tapes were] like the Watergate tapes... Bob
would say, 'We should destroy this.' -- Robbie Robertson

--YZ5djTAD1cGYuMQK
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQE9860BaAK8ZwqLoskRAjOcAKCMy7b9+RhZD3b91aGDqGOtrucMGgCfQplL
/zSqCv07Gx6Ztrv1TOc36JA=
=DOAn
-----END PGP SIGNATURE-----

--YZ5djTAD1cGYuMQK--

Previous message: [KLUG Members] Re: Broadband firewalls -- [continued] flawed logic and analysis ...
Next message: [KLUG Members] Re: Broadband firewalls -- flawed logic and analysis ...
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]