Firewall Wizards mailing list archives
Re: Firewall rules order and performance
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 21 Jul 2009 13:02:17 -0400
lordchariot () embarqmail com wrote: the number of already
established connections in the kernel was the primary factor. You'd plateau after a certain point as new connections were trying to allocate the memory.
I never understood why anyone would have a problem with that.
Just pre-allocate a pool and (if you're really into it) marshall
your pools based on the hash function you use to match
the streams so that stream data related to a particular
hash chain tend to be in the same memory pages.
It always seemed to me that a lot of the "system design"
of firewalls was "let's put our head between our knees and
hope Moore's law or marketing takes care of it for us."
mjr.
--
Marcus J. Ranum CSO, Tenable Network Security, Inc.
http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Firewall rules order and performance Pierre Blanchet (Jul 17)
- Re: Firewall rules order and performance Carson Gaspar (Jul 21)
- Re: Firewall rules order and performance david (Jul 21)
- Re: Firewall rules order and performance lordchariot (Jul 21)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Jean-Denis Gorin (Jul 28)
- Re: Firewall rules order and performance Eric Gearhart (Jul 28)
- Message not available
- Re: Firewall rules order and performance Eric Gearhart (Jul 29)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 30)
- Re: Firewall rules order and performance Marcus J. Ranum (Jul 23)
- Re: Firewall rules order and performance Behm, Jeff (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)
- Re: Firewall rules order and performance K K (Jul 30)