[Beowulf] hpl size problems
Robert G. Brown
rgb at phy.duke.edu
Wed Sep 28 10:28:04 PDT 2005
Luc Vereecken writes:
> Most of the complex firewall rules have to do with carefully defining
> what you want to go in, out, or through your machine. However, most
> of the trafic/packets are related to a connection that was
> established earlier and that was checked and allowed by the complex
> set of rules. If you use connection tracking (which you basically
> have to to write a robust set of rules that allows more than only
> port 22) you can significantly reduces the number of rules that needs
> to be checked by putting a check on RELATED/ESTABLISHED very near the
> beginning of the ruleset. On my head node, 98-99% of the packets only
> go through this one rule. The other 200+ rules are only visited by
> unknown connections that need to be checked in more detail (once the
> connection is allowed to be made, it's too late to do much checking
> later on anyway).
In other words, it contributes to per-connection latency but not much to
streaming traffic once a connection is made. So one might expect that
udp (connectionless) traffic would be more expensive overall than
sustained tcp connections...?
rgb
>
> Luc Vereecken
>
>
>
>
>
> Disclaimer: http://www.kuleuven.be/cwis/email_disclaimer.htm
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
URL: <http://www.beowulf.org/pipermail/beowulf/attachments/20050928/00e73533/attachment.sig>
More information about the Beowulf
mailing list