About | Current Status | Documentation | Performance Tests | Downloads | About Us

Why should I care about packet filtering when there is connection tracking?

Connection tracking is a nice technique to both simplify and tighten your ruleset but it certainly does not supersede packet filtering since you still have to specify rules defining the policy for the connections you want to allow. Those rules apply to all packets which don't belong to an already established connection. Usually, the amount of such packets compared to the amount of packets belonging to already established connections is rather small (apart from http connection which are statistically very short) but your firewall should not only cope with the usual case but also prevent abuse of your networks and services. That's essentially the whole point of having a firewall at all.

DoS or DDoS attacks can be used to flood your networks with not yet tracked packets (e.g. syn flood) which must be handled by your packet filter. It's obvious that in this case a linear packet filter like iptables becomes again the bottleneck. Of course, you could limit the packet rate of not yet tracked packets but this approach has one major drawback. Basically, you end up in dropping valid packets since the packet rate limiter has no means of distinguishing good from bad packets. If you drop for instance half of the incoming not yet tracked packets this means that also half of the valid packets are dropped. With nf-HiPAC you are no longer forced to indiscriminately drop packets to relieve your packet filter. Moreover, you can use the iptables connection tracking facility with nf-HiPAC so that you don't lose any functionality but instead gain the performance necessary to withstand attacks against your networks while at the same time not penalizing your users.

Despite its usefulness there are still situations where you want to avoid the overhead of connection tracking. Although only a constant amount of time is added to the processing time of each packet (at least in theory) you may need to prevent that in order to achieve maximum packet rates. Those kind of setups require a highly efficient stateless packet filter which is very robust against DoS or DDoS attacks. Again, nf-HiPAC fulfils this requirement to the full extent.