> My point wasn't really about performance here, more that systems needing > this level of performance (server farm is just an example) will probably > be on an 'inside' network with firewalling being done elsewhere (at the > access layer, to use the Cisco paradigm). It's just not good design to > attach such systems directly to an untrusted network, IMHO. So these > systems just don't need netfilter capabilities.
Don't think of the highend. It is exotic and rare. Think of the ordinary single linux box somewhere at a rackspace provider which represents the majority of Linux boxes around. With a not too skilled admin who mostly uses the default settings of his configuration. For that running firewalling on the same box makes a lot of sense. Normally it is not that loaded and it doesn't matter much how it performs, but it might be occasionally slashdotted and then it should still hold up. BTW basic firewalling is not really that bad as long as you don't have too many rules. Mostly conntrack is painful right now. I'm sure at some point it will be fixed too. -Andi - To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to [EMAIL PROTECTED] More majordomo info at http://vger.kernel.org/majordomo-info.html
