On Wednesday 05 February 2003 16:43, Stefan Sonnenberg-Carstens wrote:
> I don't think this is neccessary,cause you got the "on" keyword.
> Filtering occurs in kernel AFTER the packet is passed into by the NIC
> driver, I think your mention would require seperate filters for each NIC,
> which would cause some things not to function properly (states etc).
States are created for one interface, where the rule matched.
This is why you filter/keep-state only on one interface of a bridge/gateway.
> Trust the skip-steps, the do what they should, well enough ( We have such a
> bridge firewall here with about 400 rules, on a 400MHz PIII with 256MByte
> RAM and NO load or latency problems, nor problems with throuput).
> I think such a seperation (even only for config files) makes no sense.
Yes, PF is faster than IPF.
However some penguins out there can provide better performance for a gateway
setup also including some checksum validating like TCP.
This means that we could do better ;-)
Ed
