Le mardi 21 juin 2005 à 17:36 +0800, Feizhou a écrit : > netfilter's conntrack module sucks in performance and at the same time > is not fully stateful. The last serious paper I could read about performances comparison was published on pf website long ago and desmonstrated a clear advantage for Netfilter against pf or ipf. http://www.benzedrine.cx/pf-paper.html However, at this time, Netfilter was indeed not fully stateful. But it's no longer the case as Netfilter now implements TCP window tracking in stock kernels. If you know good comparisons published, I wuold be happy to read them. > If I wanted a stateful firewall, I would go for a OpenBSD solution. Question of feeling essentially now, and other functionnalities. For instance, if I need hot failover, I will go to OpenBSD. There may be other problems I'm not aware of, so please back your affirmations if it's the case. Thx. -- http://sid.rstack.org/ PGP KeyID: 157E98EE FingerPrint: FA62226DA9E72FA8AECAA240008B480E157E98EE >> Hi! I'm your friendly neighbourhood signature virus. >> Copy me to your signature file and help me spread!
