[nycbug-talk] home grown firewall solutions ...
Fabian Keil
freebsd-listen at fabiankeil.de
Sun Mar 12 07:54:27 EST 2006
alex at pilosoft.com wrote:
> c) it is, however, nontrivial to do this with pf 'keep state', if
> that's what you want. if you want to keep state, you need lots of CPU
> power and/or memory and/or hackery.
Are you sure this is true for PF?
Quote from http://kerneltrap.org/node/477:
|JA: How does pf performance compare to other stateful packet filters?
|
|Daniel Hartmeier: In the benchmarks I did and based on the feedback
|from people who compared pf with other filters on production machines,
|very well, often significantly better. In particular, we found that
|keeping state on all connections scales well and is faster than
|stateless rule evaluation.
Fabian
--
http://www.fabiankeil.de/
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 187 bytes
Desc: not available
URL: <http://lists.nycbug.org/pipermail/talk/attachments/20060312/b2687361/attachment.bin>
More information about the talk
mailing list