In some email I received from Jonathan Stone, sie wrote:
> 
> 
> In message <199910261900.FAA04940@avalon.reed.wattle.id.au>,
> Darren Reed writes:
> 
> >In some email I received from Jonathan Stone, sie wrote:
> [...]
> >> Can a 500MHz Pentium-II keep up with, say, 100Mbit of actual TCP
> >> traffic if using lean, mean rulesets?
> >
> >Hmmm, maybe.  With a lot of tweaking, I have been able to get an Ultra5
> >(270MHz) to pass traffic through at about 93% speed of 100BaseT
> >(11200+kB/s or 17000+pps, using ttcp).  Even then, you want to be using
> >"fastroute" with "keep state" to achieve that. 
> 
> thanks for the feedback, Darren.
> 
> Is `keep state' still going to be a win if the mean connection length
> is only 8-10 TCP segments?  (Think of a webcrawler saturating the
> 100Mbit uplink).  I'm planning to prune the ruleset down to 5-10
> top-level rules, with a group for each interface with about 5 more
> rules.  If the connection lifetime is short, and the set of open
> connections is very large, is keep-state a win over simple port-
> and SYN-filtering?

Yes, as once state information is in the state table, it's a hash
lookup to find it again rather than going over X rules.  You did,
however, mention that you were using only a few rules, so if the
security is less important than performance, not using keep state
may be a win (after you consider costs of adding/deleting from
table, collisions, etc).  "fastroute" is something you want to use
as packets which match those rules are effectively output the other
side without checking the access lists again.

Darren