Quothe the article: "Iptables has not been included in this benchmark
because it does not do stateful filtering comparable to pf and IPFilter.
The version of iptables that we tested employs connection tracking
without any sequence number analysis for packets outside of the initial
TCP handshake. While this is unsurprisingly faster, it would be an
unfair performance comparison. There is a patch for iptables that adds
sequence number checking, but it is still beta and is not included in
the GNU/Linux distribution used for testing."
Iptables is stateful (if you use the state match of course), but not in
the same way as pf/ipf. Since they couldn't perform a fair comparison
(iptables would have been MUCH faster than ipf/pf, as they stated, but
doesn't track all sequence numbers), they decided not to include it.
This is fair reporting, nothing more.
As they note, there is a patch to make it do things more like pf/ipf,
and it is the patch you refer to: "'Real Stateful TCP Packet Filtering
in IP Filter' by Guido van Rooij". The paper is available at
http://www.iae.nl/users/guido/papers/tcp_filtering.ps.gz. I haven't
used the patch personally on any "production" systems, but I've talked
with people who have and they say it seems to work fine. The
patch-o-matic lists the status of the patch as "proven to be quite
stable, but still experimental". This is the experimental/beta nature
the article refers to. I don't see a date on the article (there's
probably one there; I just don't see it), so the status may have been
even more experimental when they did the testing for the report.
Hope this helps.
--MonMotha
Dustin Cross wrote:
I was just reading an article comparing the performance of opensource
firewalls (IPtables, IPfilter, and PF). There is some interesting
information in it.
http://www.benzedrine.cx/pf-paper.html
IPtables was the best performing stateless firewall, but was not tested for
stateful packet inspection, because "it does not perform proper state
tracking". This was news to me. I was wondering if anyone on the list had
some insite on this?
I did some reading at http://www.iptables.org/ and found that there is a
patch that "allows netfilter do TCP connection tracking according to the
article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij.
It supports window scaling, and can now handle already established
connections."
Here is a link the paper they refer to:
http://www.usenix.org/events/sec01/invitedtalks/rooij.pdf
_______________________________________________
LUAU mailing list
[EMAIL PROTECTED]
http://videl.ics.hawaii.edu/mailman/listinfo/luau
