Date: Sun, 19 Jan 2003 16:56:51 -0800 From: Darren Pilgrim <dmp@pantherdragon.org> To: Dmitry Morozovsky <marck@rinet.ru> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <3E2B4953.7060008@pantherdragon.org> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org> <20030119001015.S46739@woozle.rinet.ru>
index | next in thread | previous in thread | raw e-mail
Dmitry Morozovsky wrote:
> On Thu, 16 Jan 2003, Darren Pilgrim wrote:
>
> DP> There is sorting that you can do, like putting the highest-traffic rules
> DP> near the top. ipfw terminates the search on the first matching rule except
> DP> for count and skipto. Also, the fewer items that have to be checked the
> DP> faster the rule is. Perhaps there is some aggregation that can be done with
> DP> the rules themselves?
>
> By the way, is (moderately complex) aggregated rule faster than mix of simple
> rules? (for now, we drop accounting issues)
>
> So, will
>
> permit tcp from {a.b.c.0/24 or e.f.g.0/20} to any 22,25,80,443 setup
> perform measurably better than set of 8 corresponding rules?
I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory
this rule should require fewer ops on average than 8 seperate rules. What I
meant when I said aggregate is that if you have a contiguous block of IPs,
say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then
create one rule:
pass tcp from any to 1.2.3.0/26 22,25,80,443
Then turn on the tcp.blackhole sysctl on the machines and you have the same
effect with just one rule instead of 60 or configure firewalls with just two
rules:
allow tcp from any to me porta,portb,portc
allow tcp from me to any
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
help
Want to link to this message? Use this
URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E2B4953.7060008>