-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 O wise netfilter guruz, I pray unto thee in hopes you can answer my most humble questions. I have been all over the net and looked thru the mailing list archives, but cannot find an answer to questions that have been asked a number of times, but never with the proper specifications, so I will attempt to ask in a more proper form. First: netfilter vs pix considering packet filtering only, and ignoring the "extra" things such as vpn and pretty gui, administration costs, purchase price, and CYA. What things can I do with an iptables firewall that I cannot do with a pix firewall, I know about log tagging, but what else? If the "costs" are not an issue, and the cisco extras are not necessary, would you go with a pix or a netfilter solution and why? (skip the 'cause linux rulez answers). It seems that every time that this question was asked in the past the answer was "pix comes with cisco CYA", or "what about the admin overhead", or "depends on your requirements". I am interested (as I am sure others are) in the technical differences. I am not trying to build a business case. Second: Performance If I make a monolithic kernel with everything stripped out of it except for the code I need to run a netfilter firewall with stateful inspection, and I have only the basic ruleset (everything out, established+mail+web+ssh in, drop illegal ip addresses and flag combinations). basically a network noise filter. How many new connections per second can I expect to handle on what type of box? What type of thruput should I expect on what type of box? Please note, I have both types of firewalls, and I am just trying to plan out how many of what I should put where and why. I really would prefer to use netfilter over pix, it will be an educational exercise for me. I can D/L freeswan, and all the other goodies, and have plenty of boxen lying around collecting dust, lots of time and get paid no matter what I decide to do (see sig). There has to be someone, somewhere, who understands what I am asking and has the answers. I have the asbestos underwear properly installed, so flame on. I will summarize back to the list. - -- Mike Taylor. GSEC Non Impediti Ratione Cogitationis Coordinator of Systems Administration and Network Security Indiana State University. Rankin Hall Rm 039 210 N 7th St. Terre Haute, IN. Voice: 812-237-8843 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQE966WlknPysOadsKcRAj8HAJ0fYo3EBa9dcjKB/rbwcNRCKE+RpwCgulCb 38DjnIigdHaCkyWmWbpkyNA= =mReT -----END PGP SIGNATURE-----
