* Henrique de Moraes Holschuh: > On Wed, 23 Jan 2008, Rolf Kutz wrote: >> On 23/01/08 08:29 -0700, Michael Loftis wrote: >>> It's better to leave the service disabled, or even better, completely >>> uninstalled from a security standpoint, and from a DoS standpoint as >>> well. The Linux kernel isn't very efficient at processing firewall >>> rules. Newer >> >> I thought it was very efficient in doing so. YMMV. > > Quite the contrary. It is *dog* *slow* for non-trivial firewalls.
It depends a lot on the traffic characteristics. For a few, long flows, Netfilter is pretty efficient if you use connection tracking. Per-flow setup costs are also much lower than most of the proprietary offerings running on non-specialized hardware. It also helps that, unlike appliances, custom-built Linux packet filters typically use current CPUs with relatively large caches. > You need to be doing some *heavy* firewalling (many rules) for any of that > to really matter, and on very fast links (gigabit) because nobody will > notice the firewall's speed on something as a 10Mbit/s link... This is why Netfilter is considered fast, other implementations have trouble keeping up with 10 Mbit/s links. 8-P -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
