[luau] Open Source Firewall comparison

Dustin Cross dusty at sandust.com
Wed Jun 19 14:21:01 PDT 2002


I was just reading an article comparing the performance of opensource
firewalls (IPtables, IPfilter, and PF).  There is some interesting
information in it.

http://www.benzedrine.cx/pf-paper.html

IPtables was the best performing stateless firewall, but was not tested for
stateful packet inspection, because "it does not perform proper state
tracking".  This was news to me.  I was wondering if anyone on the list had
some insite on this?

I did some reading at http://www.iptables.org/ and found that there is a
patch that "allows netfilter do TCP connection tracking according to the
article Real Stateful TCP Packet Filtering in IP Filter by Guido van Rooij.
It supports window scaling, and can now handle already established
connections."

Here is a link the paper they refer to:
http://www.usenix.org/events/sec01/invitedtalks/rooij.pdf







More information about the LUAU mailing list