On Thu, 3 Jul 1997, Fernando da Silveira Montenegro wrote:
> Hello all!
> What seems to be the general consensus on how many filtering rules one can
> configure on a router without imposing a noticeable performance penalty:
> 10? 50? 100?
> I know it probably varies wildly with the equipment you use (2501 x 7500,
> for instance), but is anybody running a Cisco 4000 with more than, say,
> 100 rules for each filter applied to an interface? The router has 8MB, and
> is talking two T1s (bonded, no multihoming).
If you do stuff like handle the most frequent packets first (say an
established entry as the first rule) you shouldnt have too much of a
performance problem. The key is getting the majority of packets evaluated
at the very beginning, leaving the somewhat unusual packets near the end.
> We plan to tighten up our environment a bit (too many DoS attacks for our
> liking), and are considering also stricter filters on our terminal servers
> (PortMaster2 units from Livingston). Same question applies: how many
> filters on a 1MB PM2?
Denial of services attacks are essentially impossible to defeat. They will
always be there in one form or another.
Brian Mitchell brian @
"BSD code sucks. Of course, everything else sucks far more."
- Theo de Raadt
From: "Fernando da Silveira Montenegro" <montenegro @