Re: Why not have firewall rules by default?
* Henrique de Moraes Holschuh:
> On Wed, 23 Jan 2008, Rolf Kutz wrote:
>> On 23/01/08 08:29 -0700, Michael Loftis wrote:
>>> It's better to leave the service disabled, or even better, completely
>>> uninstalled from a security standpoint, and from a DoS standpoint as
>>> well. The Linux kernel isn't very efficient at processing firewall
>>> rules. Newer
>>
>> I thought it was very efficient in doing so. YMMV.
>
> Quite the contrary. It is *dog* *slow* for non-trivial firewalls.
It depends a lot on the traffic characteristics. For a few, long flows,
Netfilter is pretty efficient if you use connection tracking. Per-flow
setup costs are also much lower than most of the proprietary offerings
running on non-specialized hardware. It also helps that, unlike
appliances, custom-built Linux packet filters typically use current CPUs
with relatively large caches.
> You need to be doing some *heavy* firewalling (many rules) for any of that
> to really matter, and on very fast links (gigabit) because nobody will
> notice the firewall's speed on something as a 10Mbit/s link...
This is why Netfilter is considered fast, other implementations have
trouble keeping up with 10 Mbit/s links. 8-P
Reply to: