On 16 Mar 2002, Gordon Messmer wrote: > On Sat, 2002-03-16 at 12:05, Jack Bowling wrote: > > ** Reply to message from Gordon Messmer <[EMAIL PROTECTED]> on Sat, 16 Mar 2002 >11:53:05 -0800 > > > > > It becomes less appropriate when the amount of traffic to be firewalled > > > approaches half the bandwidth of the PCI bus. Hardware firewalls tend > > > to have much faster back planes. You can sometimes compensate for this > > > by having more firewalls in front of smaller groups of networks/hosts. > > > > Note also that the NAPI framework has just been dropped into the 2.5.x kernel >development tree and will likely be backported to the 2.4. series. It allows much >faster processing of interrupts and apparently makes a huge positive difference in >throughput which in turn will likely improve the netfilter/iptables side. > > Doesn't really change my point. There's only so much bandwidth > available to the PCI bus. The PC architecture isn't going to process an > infinite number of packets. Your very expensive switches have > backplanes that can transfer gigabits of data per second.
Your very expensive switches, however configurable they may be, though, are not firewalls...stateful or otherwise. In all honesty, aren't all firewalls truly some sort of computer with multiple NICs and a program that interprets and rejects or allows traffic to pass? _______________________________________________ Redhat-list mailing list [EMAIL PROTECTED] https://listman.redhat.com/mailman/listinfo/redhat-list
