You may want to look into OpenBSD's new packet filter, pf(4). It's a stateful filter, which, according to pf.conf(8), is usually faster than a rule-based filter:
...
But I agree with Scott that a stateful packet filter like pf on OpenBSD or ipf on FreeBSD is much better at this task.
Don't confuse "stateful" firewalls with "compiled" firewalls. Stateful just means you're maintaining state of established flows, which is behaviorly different from a non-stateful filter. Compiled is when you pre-process a normal ruleset and produce a matching engine which is better suited to doing complex lookups. Some implementations of this include Cisco's "turbo acl", Bill Fumerola's C primitive generation from ipfw rules, Juniper's internal handling of all firewalling, etc. People are trying anything, from adding a few binary trees in your lookup to making a true compiler which produces packet matching code. As I understand OpenBSD's pf (which may not be complete so feel free to point out if I'm wrong), it isn't actually doing anything to compile normal packet lookups, it just added a non-sequential lookup engine for the truely "stateful" filtering that it does. While this is nice and all, it doesn't replace the functionality of normal rule-based filtering, and it isn't the same as a true compiled filter. The closest comparison you could make for the normal readers of this list is that it is the same as speeding up acl matches by enabling the flow route-cache on a Cisco. -- Richard A Steenbergen <ras@e-gerbil.net> http://www.e-gerbil.net/ras GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)