From owner-freebsd-hackers Tue Feb 27 08:24:27 1996 Return-Path: owner-hackers Received: (from root@localhost) by freefall.freebsd.org (8.7.3/8.7.3) id IAA00928 for hackers-outgoing; Tue, 27 Feb 1996 08:24:27 -0800 (PST) Received: from etinc.com ([165.254.13.209]) by freefall.freebsd.org (8.7.3/8.7.3) with SMTP id IAA00922 for ; Tue, 27 Feb 1996 08:24:18 -0800 (PST) Received: from dialup-usr11.etinc.com (dialup-usr11.etinc.com [204.141.95.132]) by etinc.com (8.6.12/8.6.9) with SMTP id LAA02961 for ; Tue, 27 Feb 1996 11:26:34 -0500 Date: Tue, 27 Feb 1996 11:26:34 -0500 Message-Id: <199602271626.LAA02961@etinc.com> X-Sender: dennis@etinc.com X-Mailer: Windows Eudora Version 2.0.3 Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" To: hackers@freebsd.org From: dennis@etinc.com (dennis) Subject: Re: IPFW - how fast/robust is it ? Sender: owner-hackers@freebsd.org Precedence: bulk >> Hi there folx, >> >> I'm about to implement some filtering here >> on user servers , namely I want to disallow >> users to provide any TCP services (bind and >> listen on ports above 1024). >> >> They should be able to use ftp in the passive mode, >> so there's no problem there. >> >> So as I understand I can do it via IPFW mechanism. >> The only Q is , since the thing is so deep in the >> kernel , how robust and stable it is ? >> >> How does it affect the networking in the sense of >> speed , etc ? > >I haven't noticed significant performance degradation running a dozen and a >half rules on a busy 386DX/40 (T1 router). Stability is impeccable for most >things (some features I tried under 2.0.5R had some problems, but the basics >are rock solid). The router in question was up over 100 days. > >That's not to say there isn't a performance penalty, I'm just saying I >haven't noticed it if it's there. You won't notice much on a single serial line system...if you're doing local routing and have a lot of rules you will. db