On Tue, Jul 13, 2004 at 06:32:52PM -0300, Alejandro Flores spoke thusly: >Hello Michael, > >Agreed. If well designed, it will improve performance. But, what >is the cost to send a packet to another chain? And if you have >something like: I don't have those numbers. >When the packet arrives, and it's from 192.168.0.7, it will be handled >by INPUT, then C1 and finally C1_SSH at the second rule. What I'm >trying to discover is, what is the cost to send the packet from one >chain to another. It's more easy to configure and maintain your rules >with user-chains, but how much it will cost in performance, if instead >of the above example, I use the following rules: That's relative right? If you properly organise your user-chains taking into account that more frequent traffic types are at the top - then performance wise, you shouldn't be seeing that dramatic a hit. On an old bastion host I used to control, I had 6,000++ rules running at one time (_no optimisation_ at all). I didn't notice a performance hit, except adding/deleting rules took a bit of time to fully finish; but Harald has mentioned that problem before on the list - its due to the way the rules are stored (circular link list?) IIRC. For good security- your rulesets should be really small (where possible!) otherwise it becomes a nightmare to maintain. In regards to "rule sorting" google the firewall-wizards mailing list archives, Paul Robertson has participated in a couple of interesting threads on the subject. (snip)
