I have often wondered about the actual performance penalties of running
chains on production boxes, where every little bit of speed we can tweak
out of them is of importance.  I will say this though, I've run snort on a
PIII 500 w/ a gig of RAM and it was able to keep up with about 80 megabits
of sustained traffic.  And it's inspecting packet contents.  So chains
should be orders of magnitude faster.

I wouldn't be afraid to use ipchains on a gigabit connection, I just
wouldn't count on that box to do other production work at that point.  So,
for firewalling a DS-3/T-3 I don't think you should have much trouble.

For impact upon boxes doing other critical tasks, I'd be curious to hear
others' opinions.

:)

Wes