(no subject)
Andrew Meredith
andrew@anvil.org
Sat, 7 Jul 2001 02:19:28 +0100 (BST)
BTW .. sorry about the lack of Subject: :(
Twas on Fri, 6 Jul 2001 that Michael H. Warfield spake:
>
> On Sat, Jul 07, 2001 at 02:04:37AM +0100, Andrew Meredith wrote:
> >
> > Hi Folks,
>
> > Firstly, am I right in thinking that this will allow certain more subtle
> > probes to be logged, where if the whole of a protocol was allowed it might
> > not.
>
> Hmmm... Answer is, probably, if you set it up that way. Yes,
> you have the ability.
Great thanks.
> > Second, I am concerned if it might have loading implications on the fairly
> > old and clunky box I am using as my firewall.
>
> You don't specify what your connection to the Internet is.
> [...]
64K ISDN
> In other words, the capacity of your firewall to deal with your
> filtering load depends more on the type of connection than it does
> on netfilter vs ipchains.
Sorry, I was meaning iptables but with a much heavier use of the
connection tracking. The old way just allowed packets of the right
address, port and interface without much reference to their state.
Andy M