[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       Brian Mitchell <brian () firehouse ! net>
Date:       1997-07-03 15:00:20
[Download RAW message or body]

On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote:

>  Hello all!
> 
> What seems to be the general consensus on how many filtering rules one can
> configure on a router without imposing a noticeable performance penalty:
> 10? 50? 100?
> 
> I know it probably varies  wildly with the equipment you use (2501 x 7500,
> for instance), but is anybody running a Cisco 4000 with more than, say,
> 100 rules for each filter applied to an interface? The router has 8MB, and
> is talking two T1s (bonded, no multihoming).

If you do stuff like handle the most frequent packets first (say an
established entry as the first rule) you shouldnt have too much of a
performance problem. The key is getting the majority of packets evaluated
at the very beginning, leaving the somewhat unusual packets near the end.

> 
> We plan to tighten up our environment a bit (too many DoS attacks for our
> liking), and are considering also stricter filters on our terminal servers
> (PortMaster2 units from Livingston). Same question applies: how many
> filters on a 1MB PM2?
 
Denial of services attacks are essentially impossible to defeat. They will
always be there in one form or another.

Brian Mitchell                           brian@firehouse.net
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt

[prev in list] [next in list] [prev in thread] [next in thread]