On Sun, 24 Feb 2002, Patrick Schaaf wrote:
> > How much performance does connection tracking cost compared to basic
> > non-connection tracking netfilter-firewall?
>
> I know of no systematic analysis on this. It has an impact, especially
> when connection creation / teardown rate becomes high. But, on current
> server systems, you won't notice with less than 5000-10000 new connections
> per second. And that rate is far more than you'll have in almost all
> real world setups.
>
OK. It seems I won't have any performance problems.. 5000-10000 new
connections per second is really much.. I'm not going to have that high
numbers.
> > Do you see the difference with 10Mbps internet-connection?
>
> What CPU are you asking about? I could imagine some old 386 struggling
> with two bad 10mbit/s ethernet cards, but connection tracking is then
> only a small part of your worries.
>
I have P3/1GHz on my firewall.. so I guess I'm OK with connection
tracking.
> > When you enable connection tracking (-m state --state foo), does netfilter
> > need to track ALL connections?
>
> Yes.
>
OK.
> > or is connection tracking used just for
> > source/dest networks in that specific rule?
>
> No. There is currently no standard way of selectively disabling
> connection tracking, though there are patches. Please read the
> archives.
>
OK. I think I'm not going to need these patches (before they are in the
kernel..).
Thanks!
(I think this kind of question should be added to faq/howto..)
- Pasi K�rkk�inen
^
. .
Linux
/ - \
Choice.of.the
.Next.Generation.
