From owner-freebsd-hackers Sat Jan 18 13:14:55 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 7482F37B401 for ; Sat, 18 Jan 2003 13:14:54 -0800 (PST) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 4D7D843EB2 for ; Sat, 18 Jan 2003 13:14:53 -0800 (PST) (envelope-from marck@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.12.5/8.12.5) with ESMTP id h0ILEoTJ049860; Sun, 19 Jan 2003 00:14:51 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Sun, 19 Jan 2003 00:14:50 +0300 (MSK) From: Dmitry Morozovsky To: Darren Pilgrim Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <3E2738BA.4090806@pantherdragon.org> Message-ID: <20030119001015.S46739@woozle.rinet.ru> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org> X-NCC-RegID: ru.rinet MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Thu, 16 Jan 2003, Darren Pilgrim wrote: DP> There is sorting that you can do, like putting the highest-traffic rules DP> near the top. ipfw terminates the search on the first matching rule except DP> for count and skipto. Also, the fewer items that have to be checked the DP> faster the rule is. Perhaps there is some aggregation that can be done with DP> the rules themselves? By the way, is (moderately complex) aggregated rule faster than mix of simple rules? (for now, we drop accounting issues) So, will permit tcp from {a.b.c.0/24 or e.f.g.0/20} to any 22,25,80,443 setup perform measurably better than set of 8 corresponding rules? Sincerely, D.Marck [DM5020, DM268-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message