From owner-freebsd-questions  Sun Nov 25  7:24: 1 2001
Delivered-To: freebsd-questions@freebsd.org
Received: from work.fantomas.sk (work.fantomas.sk [195.168.3.146])
	by hub.freebsd.org (Postfix) with ESMTP id A6A0937B405
	for <freebsd-questions@freebsd.org>; Sun, 25 Nov 2001 07:23:56 -0800 (PST)
Received: (from uhlar@localhost)
	by work.fantomas.sk (8.9.3/8.9.3/Debian 8.9.3-21) id QAA24526
	for freebsd-questions@freebsd.org; Sun, 25 Nov 2001 16:23:53 +0100
Date: Sun, 25 Nov 2001 16:23:53 +0100
From: "Matus \"fantomas\" Uhlar" <uhlar@fantomas.sk>
To: freebsd-questions@freebsd.org
Subject: ipfirewall optimalizations
Message-ID: <20011125162353.A24468@fantomas.sk>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.2.5i
X-Echelon: nuclear bomb plane crash terrorist attack djihad spy echelon sucks
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
List-ID: <freebsd-questions.FreeBSD.ORG>
List-Archive: <http://docs.freebsd.org/mail/> (Web Archive)
List-Help: <mailto:majordomo@FreeBSD.ORG?subject=help> (List Instructions)
List-Subscribe: <mailto:majordomo@FreeBSD.ORG?subject=subscribe%20freebsd-questions>
List-Unsubscribe: <mailto:majordomo@FreeBSD.ORG?subject=unsubscribe%20freebsd-questions>
X-Loop: FreeBSD.ORG

Hello,

I am just setting quite complicated firewall using ipfw;

I want to restrict some tcp and udp services to accept only on some local
IP's and only from some ip ranges. 

I'd like to know if it's good idea to 'optimize' it by jumping between rules
this way:


100 skipto 1000 tcp from any to any {port1} in
200 skipto 2000 tcp from any to any {port2} in

999 allow ip from any to any

1000 skipto 10000 tcp from any to {local_ip_1}
1001 deny ip from any to any

2000 skipto 20000 tcp from any to {local_ip_2}
2001 deny ip from any to any

10000 allow ip from {ip_range_1} to any
10001 allow ip from {ip_range_2} to any
10002 deny ip from any to any

20000 allow ip from {ip_range_1} to any
20001 allow ip from {ip_range_2} to any
20002 deny ip from any to any


Is jumping between rules fast enough? Is it better to do the jumping then
try put all checks into one rule like this?

1000 allow ip from {ip_range_1} to {local_ip_1} {port1} in
1001 allow ip from {ip_range_1} to {local_ip_1} {port1} in
1002 deny ip from any to any {port1} in

2000 allow ip from {ip_range_1} to {local_ip_1} {port1} in
2001 allow ip from {ip_range_1} to {local_ip_1} {port1} in
2002 deny ip from any to any {port1} in


btw I have much more rules.

-- 
 Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/
 Warning: I don't wish to receive spam to this address.
 Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
 "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
 "So does syphillis. Good thing we have penicillin." - Matthew Alton

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message