David L. Strout wrote:
An interface NOT listening for a service is a far better use of resources than inspecting and comparing packets to a filter rule. Just think about it for a minute and it will become blatantly apparent.
No, it doesn't... Unless you completely disable filtering, you're still processing packets through pf before they hit any services running on your machine. It doesn't matter if the service is listening or not, it still goes through the same ruleset. Still goes through the same processing. The only way to prevent it from going through the filtering process is to prevent the packet from being generated and directed towards the firewall.
In firewalls employing packet filtering (as is the case w/ pfSense) where you have to inspect every packet and compare against policies/filters .... the less you HAVE to inspect the better use of resources you'll achieve.
It's going to inspect that traffic whether or not anything is listening on that interface. It's not like an open port makes it bypass the pf ruleset.
It would be fine if you could specifically select which IP's or interfaces you want it to listen on - patches are accepted. But whatever benefit you have cooked up in your head about less resource requirements just isn't the case at all.
--------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
