> How much performance does connection tracking cost compared to basic > non-connection tracking netfilter-firewall?
I know of no systematic analysis on this. It has an impact, especially when connection creation / teardown rate becomes high. But, on current server systems, you won't notice with less than 5000-10000 new connections per second. And that rate is far more than you'll have in almost all real world setups. > Do you see the difference with 10Mbps internet-connection? What CPU are you asking about? I could imagine some old 386 struggling with two bad 10mbit/s ethernet cards, but connection tracking is then only a small part of your worries. > When you enable connection tracking (-m state --state foo), does netfilter > need to track ALL connections? Yes. > or is connection tracking used just for > source/dest networks in that specific rule? No. There is currently no standard way of selectively disabling connection tracking, though there are patches. Please read the archives. best regards Patrick
