> > As an aside, is there any feel for how much CPU load the kernel-level packet
> > filter imposes on a system? I'm thinking we might like to experiment with
> > it if insufficient access control is provided via MU CONFIG/SERVER or other
> > services which don't use MASTER_SERVER.
> >

> I'm not sure of the load. As I mentioned above I do think you
> will find this the best solution.

I doubt that you'd ever notice a change in CPU load with the
kernel-level packet filter activated. It's pretty straight-forward
code that only consists of a few dozen extra instructions per packet.
I've never done any load-testing, but you'd have to have thousands, or
tens of thousands, of rules (which you can't have anyway, because I
think there's a limit of 1024) before you'd probably be able to really
measure the impact.

Hunter Goatley, Process Software, http://www.process.com/