From owner-freebsd-hackers Sun Mar 28 7: 6:44 1999 Delivered-To: freebsd-hackers@freebsd.org Received: from labinfo.iet.unipi.it (labinfo.iet.unipi.it [131.114.9.5]) by hub.freebsd.org (Postfix) with SMTP id C936D1521A; Sun, 28 Mar 1999 07:06:38 -0800 (PST) (envelope-from luigi@labinfo.iet.unipi.it) Received: from localhost (luigi@localhost) by labinfo.iet.unipi.it (8.6.5/8.6.5) id OAA03534; Sun, 28 Mar 1999 14:44:48 +0200 From: Luigi Rizzo Message-Id: <199903281244.OAA03534@labinfo.iet.unipi.it> Subject: Re: ipfw behavior, is it normal? To: jmb@hub.freebsd.org (Jonathan M. Bresler) Date: Sun, 28 Mar 1999 14:44:47 +0200 (MET DST) Cc: housley@frenchknot.ne.mediaone.net, noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG In-Reply-To: <19990328145315.C71D514D61@hub.freebsd.org> from "Jonathan M. Bresler" at Mar 28, 99 06:52:56 am X-Mailer: ELM [version 2.4 PL23] Content-Type: text Content-Length: 1016 Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Re. the problem with ipfw configurations... should we add another instruction to ipfw between A and B ... to ease life in configuring firewalls ? Performance of a ruleset will be only marginally improved, but having simpler rules will indirectly make configurations more secure by reducing mistakes. From the implementation point of view i think it is just one more flag and replicating the four "if (...) continue" which check addresses and ports. Performancewise, there is almost no saving because the only checks that we save (those on interfaces) almost never apply for bidirectional case. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO . EMAIL: luigi@iet.unipi.it . Dip. di Ing. dell'Informazione HTTP://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message