On 1/24/07, Alexander Lind <[EMAIL PROTECTED]> wrote:
If I have a busy http server or cluster (by busy I mean one that gets hundreds of thousands of visitors per day), and I use an openbsd firewall, should I keep state for all incoming http connections, or should I just pass them all in without state and then pass them all out without state instead of using states?
My advice: stateful filtering without a doubt. If you've got concerns with your state tables, you can increase the limits as needed, and if you've got a firewall able to support the traffic you shouldn't have a resource issue doing so (increased memory utilization, although not like it's a RAM hog.) DS