[Beowulf] hpl size problems

Robert G. Brown rgb at phy.duke.edu
Wed Sep 28 10:28:04 PDT 2005


Luc Vereecken writes:

> Most of the complex firewall rules have to do with carefully defining 
> what you want to go in, out, or through your machine. However, most 
> of the trafic/packets are related to a connection that was 
> established earlier and that was checked and allowed by the complex 
> set of rules. If you use connection tracking (which you basically 
> have to to write a robust set of rules that allows more than only 
> port 22) you can significantly reduces the number of rules that needs 
> to be checked by putting a check on RELATED/ESTABLISHED very near the 
> beginning of the ruleset. On my head node, 98-99% of the packets only 
> go through this one rule. The other 200+ rules are only visited by 
> unknown connections that need to be checked in more detail (once the 
> connection is allowed to be made, it's too late to do much checking 
> later on anyway).

In other words, it contributes to per-connection latency but not much to
streaming traffic once a connection is made.  So one might expect that
udp (connectionless) traffic would be more expensive overall than
sustained tcp connections...?

   rgb

> 
> Luc Vereecken
> 
> 
> 
> 
> 
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20050928/00e73533/attachment.sig>


More information about the Beowulf mailing list