El lun, 24 de 01 de 2005 a las 22:53, Patrick Higgins escribiÃ: > We know that there are ways to optimize the rules themselves, but they > will mostly require new netfilter modules or at least revive some of the > nf-hipac work. The fact is, our firewall is inherently complex and will > probably always be our bottleneck. We're just looking for generic ways > to leverage hardware for short-term speed gains, and are running into a > wall. Reading my own post I have realize that maybe I have not explained myself well. What I propose it's to separate the traffic in multiple chains, so the traverse of the packets through the chains makes the Netfilter system have to test the minimum number of rules. We've did some test while we were designing our bastion-firewall GPL software and it sure improves the performance of the firewall a lot. Probably you had understand me, but I wanted to make it clear. Regards. -- Jose Maria Lopez Hernandez Director Tecnico de bgSEC jkerouac@xxxxxxxxx bgSEC Seguridad y Consultoria de Sistemas Informaticos http://www.bgsec.com ESPAÃA The only people for me are the mad ones -- the ones who are mad to live, mad to talk, mad to be saved, desirous of everything at the same time, the ones who never yawn or say a commonplace thing, but burn, burn, burn like fabulous yellow Roman candles. -- Jack Kerouac, "On the Road"
