ipfw deprecation

Matthew Dillon dillon at apollo.backplane.com
Tue Jun 27 11:01:40 PDT 2006

:Incoming bandwidth limitation makes not much sense. There's no local
:queue involved and the transfer did happen already. DOS protection on
:the end-system is difficult...

    I'd say it is more situational, but still very important.  I've used
    incoming bandwidth limits on DNS servers.  Any UDP service where the
    incoming packet is much smaller then the outgoing packet can benefit.
    By clamping the input you avoid the situation where your userland server
    is grinding cpu to produce an output packet that would otherwise have to
    be discarded.

					Matthew Dillon 
					<dillon at xxxxxxxxxxxxx>

More information about the Kernel mailing list