From owner-freebsd-net@FreeBSD.ORG  Fri Nov 14 20:34:10 2008
Return-Path: <owner-freebsd-net@FreeBSD.ORG>
Delivered-To: freebsd-net@FreeBSD.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 82C8A1065674
	for <freebsd-net@FreeBSD.org>; Fri, 14 Nov 2008 20:34:10 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: from mail2.fluidhosting.com (mx22.fluidhosting.com [204.14.89.5])
	by mx1.freebsd.org (Postfix) with ESMTP id 20DE78FC17
	for <freebsd-net@FreeBSD.org>; Fri, 14 Nov 2008 20:34:10 +0000 (UTC)
	(envelope-from dougb@FreeBSD.org)
Received: (qmail 6497 invoked by uid 399); 14 Nov 2008 20:07:29 -0000
Received: from localhost (HELO lap.dougb.net) (dougb@dougbarton.us@127.0.0.1)
	by localhost with ESMTPAM; 14 Nov 2008 20:07:29 -0000
X-Originating-IP: 127.0.0.1
X-Sender: dougb@dougbarton.us
Message-ID: <491DDA7F.1040004@FreeBSD.org>
Date: Fri, 14 Nov 2008 12:07:27 -0800
From: Doug Barton <dougb@FreeBSD.org>
Organization: http://www.FreeBSD.org/
User-Agent: Thunderbird 2.0.0.17 (X11/20081010)
MIME-Version: 1.0
To: Julian Elischer <julian@elischer.org>
References: <491CD94F.3020207@elischer.org>	<20081114133913.K70117@sola.nimnet.asn.au>	<491D375D.1070809@elischer.org>	<20081114211043.W54700@delplex.bde.org>
	<491DC07B.6070304@elischer.org>
In-Reply-To: <491DC07B.6070304@elischer.org>
X-Enigmail-Version: 0.95.7
OpenPGP: id=D5B2F0FB
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Cc: FreeBSD Net <freebsd-net@FreeBSD.org>, ipfw@FreeBSD.org,
	Ian Smith <smithi@nimnet.asn.au>
Subject: Re: rc.firewall quick change
X-BeenThere: freebsd-net@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: Networking and TCP/IP with FreeBSD <freebsd-net.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-net>
List-Post: <mailto:freebsd-net@freebsd.org>
List-Help: <mailto:freebsd-net-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-net>,
	<mailto:freebsd-net-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Nov 2008 20:34:10 -0000

Julian Elischer wrote:
> I think the table is faster for mor ethan about 8 addresses (so we
> are borderline) but it's be hard to test..  You however use two rules
> so that would be slower.

I'm not a firewall expert so I won't comment on the specifics but I do
want to say that as a general rule "it works + fast/efficient" is MUCH
more important for default settings than "it works really well" or "it
works + more features." For better or worse we live in a world where
most users don't read the manuals, and that includes the ones running
"benchmarks" with default settings.

OTOH I do think it would be entirely appropriate to include a "better"
example commented out next to the "fast" default. I take a similar
approach with the default named.conf and have had good feedback from
users who appreciate pointers to more information when they actually
do get curious.


hth,

Doug

-- 

    This .signature sanitized for your protection