Date: Thu, 16 Sep 2004 03:52:17 -0000 From: James Quick <jq@quick.com> To: Max Laier <max@love2party.net> Cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Question about tables vs. lists. Message-ID: <7F0E43BA-F291-11D7-B179-003065C496DC@quick.com> In-Reply-To: <143167915309.20030929162711@love2party.net> References: <18E25BB4-F287-11D7-ADF9-003065C496DC@quick.com> <143167915309.20030929162711@love2party.net>
next in thread | previous in thread | raw e-mail | index | archive | help
I'm brand new to pf and though I have a pretty good handle on it,
would like to make sure that I am making wise decisions as I move
toward more complex configuration.
Though I did play around with some rulesets which used list
expansion in rules, my current ruleset uses tables for everything
(except for one each of { tcp, udp } and { http, https } in-line).
In particular, I have several tables which are likely to change
over time, but should not typically change very often - weekly
or monthly.
The tables in question currently have 3-5 entries, and should
not grow beyond 10-20 entries.
I prefer the additional information that I can easily grab from
pfctl for tables, and also like the more modular design. I am
unsure, however, about the relative costs of table lookup vs. the
increase in rule count that the use of a list would incur.
Are there any compelling reasons to use lists instead of tables
for small sets? Since that total number of tables is likely to
remain fairly small, I don't consider the up front memory cost
for a small table to be compelling.
For example:
wanbad =3D " 0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, \
127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/13, \
192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23, \
224.0.0.0/3, 255.255.255.255/32 \
"
table <wanspoof> const { $wanbad, $qnet }
table <localnets> const { $qnet, $unet }
table <dnshosts> persist { fw, fw-gate, ns }
table <mailhosts> persist { jail1 jailtest }
table <webhosts> persist { jail1, jailtest, laptop }
table <clocks> persist { bonehed.lcs.mit.edu, clock.nyc.he.net,=20
ntp.ourconcord.net }
table <servers> { jail1, fw, fw-gate, jailtest, ns }
.....
block in log quick on $wan from <wanspoof> label "spoof"
block in log quick on $wan from no-route label "unroutable:$srcaddr"
block out quick on $wan to <wanspoof>
.....
pass in log quick on $wan proto tcp to <mailhosts> port smtp \
flags S/SA keep state label "mail"
pass in log quick on $wan proto tcp to <webhosts> port { http, https } \
keep state label "web"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7F0E43BA-F291-11D7-B179-003065C496DC>