Date: Sat, 22 Mar 2014 22:33:48 -0700 From: Julian Elischer <julian@freebsd.org> To: RW <rwmaillists@googlemail.com>, freebsd-security@freebsd.org, ipfw@FreeBSD.org Subject: Re: URGENT? Message-ID: <532E723C.2090109@freebsd.org> In-Reply-To: <20140322151155.184d5229@gumby.homeunix.com> References: <51546.1395432085@server1.tristatelogic.com> <20140322182402.Q83569@sola.nimnet.asn.au> <201403221454.IAA22021@mail.lariat.net> <20140322151155.184d5229@gumby.homeunix.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 3/22/14, 8:11 AM, RW wrote: > On Sat, 22 Mar 2014 08:48:40 -0600 > Brett Glass wrote: > >> This is correct. And that's awkward, because you might not want all of >> these checks in one place. Also, if there are many dynamic rules this >> will slow traffic down quite a bit. in ipfw that's up to you.. but I usually put the check-state quite early in my rule sets. I am working on a new rc.firewall that is much more efficient. the trouble is that the script to make it do what I want is a bit more complicated. I'll put it out for discussion later. maybe tonight. > It should be the other way around. Once a flow has been learned it's > just a simple hash-table lookup once you hit the first stateful rule. > In pf most packets bypass the rules altogether. > _______________________________________________ > freebsd-security@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "freebsd-security-unsubscribe@freebsd.org" >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?532E723C.2090109>