* Matthias Scheler <tron@zhadum.de> [2005-08-20 13:59]:
> I'm considering to reconfigure my firewall (NetBSD 3.0_BETA, PF) to use
> stateful packet filtering. But I'm concerned about the overhead caused
> by that.

there is no overhead - it is faster than stateless filtering, since 
state lookups are way faster than ruleset evaluations.

> Stateful packet filtering means that it has to keep track of every
> connection routed through it. I therefore wonder how much CPU time
> and memory PF needs for that per connection.

as said, it saves CPU power. for memory, well, the rule of thumb is 
something like 1000 states per MB of RAM in the machine.

-- 
Henning Brauer, hb@bsws.de, henning@openbsd.org
BS Web Services, http://bsws.de
OpenBSD-based Webhosting, Mail Services, Managed Servers, ...