[nycbug-talk] home grown firewall solutions ...
freebsd-listen at fabiankeil.de
Sun Mar 12 07:54:27 EST 2006
alex at pilosoft.com wrote:
> c) it is, however, nontrivial to do this with pf 'keep state', if
> that's what you want. if you want to keep state, you need lots of CPU
> power and/or memory and/or hackery.
Are you sure this is true for PF?
Quote from http://kerneltrap.org/node/477:
|JA: How does pf performance compare to other stateful packet filters?
|Daniel Hartmeier: In the benchmarks I did and based on the feedback
|from people who compared pf with other filters on production machines,
|very well, often significantly better. In particular, we found that
|keeping state on all connections scales well and is faster than
|stateless rule evaluation.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 187 bytes
Desc: not available
More information about the talk