Date: Sat, 22 Mar 2014 15:11:55 +0000 From: RW <rwmaillists@googlemail.com> To: freebsd-security@freebsd.org Subject: Re: URGENT? (was: Re: NTP security hole CVE-2013-5211?) Message-ID: <20140322151155.184d5229@gumby.homeunix.com> In-Reply-To: <201403221454.IAA22021@mail.lariat.net> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 22 Mar 2014 08:48:40 -0600 Brett Glass wrote: > This is correct. And that's awkward, because you might not want all of > these checks in one place. Also, if there are many dynamic rules this > will slow traffic down quite a bit. It should be the other way around. Once a flow has been learned it's just a simple hash-table lookup once you hit the first stateful rule. In pf most packets bypass the rules altogether.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20140322151155.184d5229>