(PM) Re: Performance on PMs when using filters

Kevin Kadow (kadokev@ripco.com)
Thu, 16 Jul 1998 11:56:18 -0500 (CDT)

scarpenter@assuredaccess.com (Scott Carpenter) wrote:
> At 08:56 AM 7/15/98 -0100, Mark Pace Balzan wrote:
> > I was wondering if the performance of the PM2
> >and hence response time to users will be affected.
>
> There is always performance loss when filters are used. Now when a packet
> is received/sent it must be checked against each line of the filter until
> it gets permitted or denied, but with a ten line filter you should not see
> the delay in packet forwarding. In other words the longer the filter is the
> more packet delay.

Specifically, the more rules each packet has to go through before matching an
'allow' line, the more packet delay. A ten line filter is actually pretty long,
but if you can craft the filter so that most of the packets match on one of the
first lines, by using:
permit 0.0.0.0/0 0.0.0.0/0 tcp estab

Then the number of additional rules, that most packets never see, won't
be an issue- ComOS uses 'short circuit' rule evaluation.

BTW, if you are setting up filters on .in for dialup users, you should strongly
consider including 'anti-spoofing' rules, only allowing users to originate
packets with a legitimate source address- in the case of dynamically assigned
IPs, you'd need to set the filter to allow any user to originate any address
from within that Portmaster's pool.

If you're using assigned IP addresses and routing subnets to customers,
We're almost finished with a little (free) PERL utility to read the 'users'
file and generate anti-spoofing Choicenet filters for each user.

-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>