On Tue, May 14, 2002 at 09:02:28AM +0000, SB CH wrote: > Hello, > > I hear that when I use connection trakcing in iptables, > the overhead of the system is high. > Because, the system maintains the more memory tables > about all the connections. right? > So, some commecial firewall company based on linux, > don't use Sateful Inspection function in their product. > > > I have some questions about this. > > 1. Is it true that SI(Sateful Inspection) use so much memory and the > function is useless in the point of performance?
for memory considerations, please read the FAQ. As for performance, it is usually increased, if you design your ruleset in the right way. The performance gain results from the reduced 'average iterated rules per packet'. > 2. If this is true, is it possible that for example, > telnet , pop, smtp service use SI function and > ftp-data, streaming which require so much data, > not use SI function? ? > 3. At firewall system, which is better that use module > or put the kernel statically? ie, ip_tables, iptable_filter .. well, there is a slight performance gain when compiling stuff into the kernel rather than loading the module. The performance gain can be compared to static/dynamic linking in userspace. > 4. Have you ever heard about gigabit firewall based on linux iptabels? > When I use gigabit firewall, what more configuration is required in > iptables? > (Gigabit Ethernet and so fast CPU and more?) what is a 'gigabit firewall'? What is your filtering criteria? What is your ruleset? Do you want to do gigabit wirespeed (40 byte packets at a rate of 1.47 million packets per second?) ? There are houndreds of questions like this and every one will influence the answer. > Thanks in advance. -- Live long and prosper - Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/ ============================================================================ GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+ V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
