>> There is a certain amount of sense in what you've said here - >> * doing stateful filtering for a busy web server just makes no sense on >> port 80 >> as the real threat is in the content, > > This is true, but doesn't stateful filtering speed up processing? > If an entry is found in the state table, the packet doesn't have to be checked > against every rule again, or?
I think it is faster to have keep state. The "pass in quick" rules for the things I sneak through start at line 4-12 as a way to manage the cost of scanning the table. Each time I bypass the 'keep state' rule I cringe as it means the servers behind the firewall are now going to see broken state client traffic that some systems just don't handle gracefully. peter
