Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

firewall-wizards logo Firewall Wizards mailing list archives

Re: Firewall rules order and performance
From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 21 Jul 2009 13:02:17 -0400
lordchariot () embarqmail com wrote:
the number of already

established connections in the kernel was the primary factor. You'd plateau
after a certain point as new connections were trying to allocate the memory.


I never understood why anyone would have a problem with that.
Just pre-allocate a pool and (if you're really into it) marshall
your pools based on the hash function you use to match
the streams so that stream data related to a particular
hash chain tend to be in the same memory pages.

It always seemed to me that a lot of the "system design"
of firewalls was "let's put our head between our knees and
hope Moore's law or marketing takes care of it for us."

mjr.
--
Marcus J. Ranum         CSO, Tenable Network Security, Inc.
                        http://www.tenablesecurity.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]