I have often wondered about the actual performance penalties of running
chains on production boxes, where every little bit of speed we can tweak
out of them is of importance. I will say this though, I've run snort on a
PIII 500 w/ a gig of RAM and it was able to keep up with about 80 megabits
of sustained traffic. And it's inspecting packet contents. So chains
should be orders of magnitude faster.
I wouldn't be afraid to use ipchains on a gigabit connection, I just
wouldn't count on that box to do other production work at that point. So,
for firewalling a DS-3/T-3 I don't think you should have much trouble.
For impact upon boxes doing other critical tasks, I'd be curious to hear
others' opinions.
(text/plain)