In some email I received from Jonathan Stone, sie wrote:
> 
> 
> It's been a long time since I did performance measurement of ip_fil.
> what kind of traffic load can the version of -current keep up with?
> 
> Can a 500MHz Pentium-II keep up with, say, 100Mbit of actual TCP
> traffic if using lean, mean rulesets?

Hmmm, maybe.  With a lot of tweaking, I have been able to get an Ultra5
(270MHz) to pass traffic through at about 93% speed of 100BaseT
(11200+kB/s or 17000+pps, using ttcp).  Even then, you want to be using
"fastroute" with "keep state" to achieve that.  Slower CPU, better
architecture.  Hard to say what it would be like on a 500MHz P-II,
except that the box above can only receive ~7000 of those 17000 packets,
each second.

To get a fair idea of what impact ipfilter makes on performance, it'd
be useful to know some sort of benchmark figures of a `naked' system.

Darren