I thought the 10G benchmarks discussed recently showed that the performance "hit" from keeping state was so small it didn't matter, so you might aswell just let the default (keep state) be there for those services.
2013/9/4 Christopher Hilton <[email protected]> > Does it make sense for me to keep state on inbound udp to services like > isakmp, dns and ntp? I'm guessing if I don't keep state I'll suffer a > slight > performance hit because the packet that starts the "flow" won't setup a > state > table entry. But won't my first reply packet setup that entry for the rest > of > the flow? > > -- Chris > > [demime 1.01d removed an attachment of type application/pgp-signature > which had a name of signature.asc] > > -- May the most significant bit of your life be positive.
