Dmitry Morozovsky wrote:
> perform measurably better than set of 8 corresponding rules?On Thu, 16 Jan 2003, Darren Pilgrim wrote:DP> There is sorting that you can do, like putting the highest-traffic rules DP> near the top. ipfw terminates the search on the first matching rule except DP> for count and skipto. Also, the fewer items that have to be checked the DP> faster the rule is. Perhaps there is some aggregation that can be done with DP> the rules themselves? By the way, is (moderately complex) aggregated rule faster than mix of simple rules? (for now, we drop accounting issues) So, will permit tcp from {a.b.c.0/24 or e.f.g.0/20} to any 22,25,80,443 setup
I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory
this rule should require fewer ops on average than 8 seperate rules. What I meant when I said aggregate is that if you have a contiguous block of IPs, say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then create one rule:
pass tcp from any to 1.2.3.0/26 22,25,80,443
Then turn on the tcp.blackhole sysctl on the machines and you have the same effect with just one rule instead of 60 or configure firewalls with just two rules:
allow tcp from any to me porta,portb,portc
allow tcp from me to any
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
