Re: Stateful Inspection
From: Erik (erik@geenspam.vanwesten.net)Date: 05/17/02
- Next message: Erik: "Re: One Firewall with DMZ versus Two Firewalls"
- Previous message: Larry W4CSC: "Re: Norton Firewall and Networked PC's"
- In reply to: Wolfgang Kueter: "Re: Stateful Inspection"
- Next in thread: x y: "Re: Stateful Inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Erik <erik@geenspam.vanwesten.net> Date: 16 May 2002 22:59:47 GMT
Wolfgang Kueter <wolfgang@shconnect.de> wrote:
[snip stateful packetfilters are fast]
> Simply wrong, stateful packet filters are slower than non stateful
> ones, because the rules change dynamically.
?? Elaborate. Look at IPF, then see that packets, which are already in
the state table are checked for a.o. ip addresses and sequence numbers.
Non stateful packetfilters will have to check _every_ packet
_completely_ against the _complete_ ruleset. Do you want to make a bet
which is faster?
> Therefore they consume more
> memory and CPU time than non stateful packet filters.
That seems to depend on the implementation of the states. At least in
IPF and pf but most probably also in iptables this is absolutely not
true. I doubt that the commercially available packages are that
different.
Did you run benchmarks?
EJ
-- For OpenBSD pf en nat rule examples: http://www.vanwesten.net
- Next message: Erik: "Re: One Firewall with DMZ versus Two Firewalls"
- Previous message: Larry W4CSC: "Re: Norton Firewall and Networked PC's"
- In reply to: Wolfgang Kueter: "Re: Stateful Inspection"
- Next in thread: x y: "Re: Stateful Inspection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
