On 02/07/2012 13:41, Tonix (Antonio Nati) wrote:
In some environments this might cause a performance issue and perhaps easier to DoSI've suggested (both for pfSense and Monowall) to give the possibility to invert the filtering directions.In complex environment, it would be a lot more useful to apply filters to outgoing interfaces (instead of incoming interfaces). In this way you write only one statement and only for the interface which is managing the output zone.If this basic system setting (apply filters to incoming or outgoing interfaces) could be modified, I'm sure all ISP will apply filters to outgoing interfaces.With output filters, interface management could also be allowed per user, as it would not interphere with other interfaces.
In an outbound filtering scenario:If you think about it, the firewall looks at the packet, processes it (NATs & routes it appropriately etc...) then when it goes to transmit the packet only then does it check the outbound ruleset and makes the decision to drop the packet - but it already wasted quite a few CPU loops before deciding to drop the packet.
In an inbound filtering scenario the packet is dropped or accepted prior to any of routing, NAT etc... and a lot fewer CPU instructions are wasted.
Just a thought? -- Regards, Giles Coochey, CCNA, CCNAS NetSecSpec Ltd +44 (0) 7983 877438 http://www.coochey.net http://www.netsecspec.co.uk gi...@coochey.net
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
