All 3 devices (UDM router, Raspberry Pi, Pixel 5a) for which I created custom on-device IPTables (with many simple rules) ended up booting much slower and being significantly less responsive compared to the default IPTables rules or lack of rules.



There were about 150 rules per device. When I improved my understanding of syntax, I re-wrote my rules to achieve the same effect, but the number of rules went from about 150 to about 15. Boot up time, responsiveness, and throughput improved significantly, but my original 150 rules were very simple and only included dropping packets for specific protocols and IP addresses. They didn't include any kind of advanced IDS/IPS.



I realized 15 was 10x less than 150, but again, the rules were simple and Netfilter was supposed to be a light-weight solution. I could understand Raspberry Pi not having powerful hardware, but why would today's routers like UDM and phones with hardware specs like Pixel 5a by hampered by having to analyze each packet header for protocol and IP for 150 criteria/conditions? Again, no IDS/IPS was involved...