I don't think this is neccessary,cause you got the "on" keyword. Filtering occurs in kernel AFTER the packet is passed into by the NIC driver, I think your mention would require seperate filters for each NIC, which would cause some things not to function properly (states etc). Trust the skip-steps, the do what they should, well enough ( We have such a bridge firewall here with about 400 rules, on a 400MHz PIII with 256MByte RAM and NO load or latency problems, nor problems with throuput). I think such a seperation (even only for config files) makes no sense.
Did I get something wrong ? enlight me if ... ----- Original Message ----- From: "Ed White" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, February 05, 2003 4:24 PM Subject: pf.conf and PF behaviour > Hi, > > I've a quick question for PF developers: > > if PF checks ruleset everytime a packet pass through an interface this means > that for a classic gateway/bridge/firewall it will evaluate 2 times the > ruleset. One going in if1 and going out if 2, right ? > > So Daniel have created skip-steps that let you jump all (or a lot of) rules > related to other interfaces. > > But why don't you separate ruleset files ? > > pf.conf (all global definitions) > pf.rl0 > pf.fxp0 > pf.dc0 > pf.dc1 > pf.tun0 > > So you'll be sure to evaluate interface related rules only. > > What about ? > > > Ed > > > > >
