> On Thu, 25 Jan 2007, Travers Buda wrote: > > That is a good point that state table lookups are cheaper. You're > > right, keep state should be faster. > > > > On the other hand, if you are in dire need of more ram, one could put > > pass in quick proto tcp from any to any port 80 > > at the top of their filtering rules (but below blacklisted IP's =)). > > Note the "quick," option. This would help mitigate the speed loss. > > > > Alec, would you mind doing a brief benchmark of the two techniques? > > Just for kicks. >
I just did some really basic stuff with http_load. Without pf at all, the mean connect() times were horrible, ranging from 48 to 76 ms. But, after a few runs with stateless (using pass quick) and keep state, the data I got showed that keep state is 12% faster. Now, of course, this number will vary between installations, but it does show keep state is indeed faster. My bad. Travers Buda
