From owner-freebsd-hackers Sun Jan 19 16:57: 2 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4960437B401 for ; Sun, 19 Jan 2003 16:57:01 -0800 (PST) Received: from spork.pantherdragon.org (spork.pantherdragon.org [206.29.168.146]) by mx1.FreeBSD.org (Postfix) with ESMTP id 949E243EB2 for ; Sun, 19 Jan 2003 16:57:00 -0800 (PST) (envelope-from dmp@pantherdragon.org) Received: from sparx.techno.pagans (12-224-208-117.client.attbi.com [12.224.208.117]) by spork.pantherdragon.org (Postfix) with ESMTP id 56A511005F; Sun, 19 Jan 2003 16:56:54 -0800 (PST) Received: from pantherdragon.org (speck.techno.pagans [172.21.42.2]) by sparx.techno.pagans (Postfix) with ESMTP id 18CFCAA8F; Sun, 19 Jan 2003 16:56:52 -0800 (PST) Message-ID: <3E2B4953.7060008@pantherdragon.org> Date: Sun, 19 Jan 2003 16:56:51 -0800 From: Darren Pilgrim User-Agent: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.1) Gecko/20020826 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Dmitry Morozovsky Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org> <20030119001015.S46739@woozle.rinet.ru> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG Dmitry Morozovsky wrote: > On Thu, 16 Jan 2003, Darren Pilgrim wrote: > > DP> There is sorting that you can do, like putting the highest-traffic rules > DP> near the top. ipfw terminates the search on the first matching rule except > DP> for count and skipto. Also, the fewer items that have to be checked the > DP> faster the rule is. Perhaps there is some aggregation that can be done with > DP> the rules themselves? > > By the way, is (moderately complex) aggregated rule faster than mix of simple > rules? (for now, we drop accounting issues) > > So, will > > permit tcp from {a.b.c.0/24 or e.f.g.0/20} to any 22,25,80,443 setup > perform measurably better than set of 8 corresponding rules? I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory this rule should require fewer ops on average than 8 seperate rules. What I meant when I said aggregate is that if you have a contiguous block of IPs, say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then create one rule: pass tcp from any to 1.2.3.0/26 22,25,80,443 Then turn on the tcp.blackhole sysctl on the machines and you have the same effect with just one rule instead of 60 or configure firewalls with just two rules: allow tcp from any to me porta,portb,portc allow tcp from me to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message