Re: [fw-wiz] Inspecting routers

From: Mikael Olsson (
Date: 11/25/02

From: Mikael Olsson <>
To: Lorens Kockum <>
Date: Mon Nov 25 23:00:01 2002


I've got some disagreeing to do ...

Lorens Kockum wrote:
> It will, on the other hand, cost you. Stateful filtering is
> more expensive than non-stateful in terms of CPU / memory /
> performance.

... here. Stateful filtering is indeed more expensive in terms
of memory. It _might_ be more expensive if what you are doing
is adding and removing real rules to/from the ruleset a'la
cisco router reflexive ACLs (but I thought people stopped doing
that after nimda killed their routers; maybe I'm wrong :P)

IF however you are using a firewall built expressly for SPFing,
you'll find that it's LESS expensive in terms of CPU crunching
and perform better. Think about it; a state lookup can be done
with a single hash lookup on primitive data types. A (linear)
ruleset lookup will result in lookups against (typically) more
complex datatypes, one for each and every rule you look at.

That said, one _can_ get fancy on the rule lookup algorithm itself and
get it done in more-or-less constant time, but that still only puts
things more or less on par with the speed of the state lookup, and with
none of the benefits that you can get from keeping state.

Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: