[unisog] IPTables as high banwidth firewall

Rudolph Pereira rudolph at usyd.edu.au
Wed Aug 3 23:07:44 GMT 2005


On Wed, Aug 03, 2005 at 03:00:45PM -0700, Johan van Reijendam wrote:
<snip>
> 4. What about
> 
> - Large rule sets
You might want to look into nf-hipac (http://www.hipac.org/).
The last time I did any testing on this, default iptables performance
with many rules (I believe anything above the 1000 magnitude) was
abysmal. With those patches, performance was marginally above openbsd/pf
on the same hardware (near 1gb/linespeed, iirc)

I think this is going to be an issue given that some of the shortcuts 
(tables, etc) available via pf on the *bsds isn't available on linux, so
it might be _more_ likely you'd need larger rulesets.

hth.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: Digital signature
Url : http://www.dshield.org/pipermail/unisog/attachments/20050804/9b03cf1b/attachment.bin


More information about the unisog mailing list