imho ipf/ipfw also resides in kernel space. (e.g. options IPFILTER). iptables also uses a userland tool to alter ruleset via 'iptables' command itself.
For basic packet filtering (iptables, ipfw and ipfilter)...imho, I don't think either one is significantly faster than the other :-)
(I don't feel the same way about Linux's IP masq vs NATD though) ;-)
by default, iptables may be noticeably faster only in stateless filtering. its due to the fact that it evaluates the rules set only once by using a forwarding chain. the forwarding chain evaluates the rules set based on a packet's complete path through the machine.
Also, the way you write the rules and organize *might be a factor too. (Although I'm thinking about the way ipfilter process its rules here)
overhead due to hundreds of iptables rules may not be an issue to others.
True :-)
regards, Kenneth -- Philippine Linux Users' Group (PLUG) Mailing List [EMAIL PROTECTED] (#PLUG @ irc.free.net.ph) Official Website: http://plug.linux.org.ph Searchable Archives: http://marc.free.net.ph . To leave, go to http://lists.q-linux.com/mailman/listinfo/plug . Are you a Linux newbie? To join the newbie list, go to http://lists.q-linux.com/mailman/listinfo/ph-linux-newbie
