From owner-freebsd-pf@FreeBSD.ORG Thu Sep 16 03:52:17 2004 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: by hub.freebsd.org (Postfix, from userid 674) id 82BAB16A4CF; Thu, 16 Sep 2004 03:52:17 +0000 (GMT) Delivered-To: mlaier@vampire.homelinux.org Received: (qmail 41651 invoked by uid 1005); 29 Sep 2003 14:32:47 -0000 Delivered-To: max@vampire.homelinux.org Received: (qmail 41648 invoked from network); 29 Sep 2003 14:32:47 -0000 Received: from moutng.kundenserver.de (212.227.126.171) by pd9e398ed.dip.t-dialin.net with SMTP; 29 Sep 2003 14:32:47 -0000 Received: from [212.227.126.149] (helo=mxng06.kundenserver.de) by moutng.kundenserver.de with esmtp (Exim 3.35 #1) id 1A3zyU-0007nB-00 for max@vampire.homelinux.org; Mon, 29 Sep 2003 17:30:10 +0200 Received: from [206.53.239.180] (helo=turing.freelists.org) by mxng06.kundenserver.de with esmtp (Exim 3.35 #1) id 1A3zyM-0000I8-00 for max@love2party.net; Mon, 29 Sep 2003 17:30:02 +0200 Received: from turing (localhost [127.0.0.1])ESMTP id ABCD0391310; Mon, 29 Sep 2003 10:23:52 -0500 (EST) Received: with ECARTIS (v1.0.0; list pf4freebsd); Mon, 29 Sep 2003 10:23:46 -0500 (EST) X-Original-To: pf4freebsd@freelists.org Delivered-To: pf4freebsd@freelists.org Received: from papoose.quick.com (papoose.quick.com [199.120.187.2]) ESMTP id D223939130F for ; Mon, 29 Sep 2003 10:23:45 -0500 (EST) Received: from [199.120.187.50] (lili.chezq.com [199.120.187.50]) by papoose.quick.com (8.12.9/8.12.9) with ESMTP id h8TFS0Yc021588; Mon, 29 Sep 2003 11:28:00 -0400 (EDT) (envelope-from jq@quick.com) In-Reply-To: <143167915309.20030929162711@love2party.net> References: <18E25BB4-F287-11D7-ADF9-003065C496DC@quick.com> <143167915309.20030929162711@love2party.net> Mime-Version: 1.0 (Apple Message framework v599) Content-type: text/plain; charset=US-ASCII Message-Id: <7F0E43BA-F291-11D7-B179-003065C496DC@quick.com> From: James Quick To: Max Laier X-Mailer: Apple Mail (2.599) X-archive-position: 167 X-ecartis-version: Ecartis v1.0.0 Sender: pf4freebsd-bounce@freelists.org Errors-To: pf4freebsd-bounce@freelists.org X-original-sender: jq@quick.com Precedence: normal X-list: pf4freebsd Content-Transfer-Encoding: quoted-printable X-UID: 282 X-Length: 4544 X-Mailman-Approved-At: Thu, 16 Sep 2004 03:55:51 +0000 cc: pf4freebsd@freelists.org Subject: [pf4freebsd] Question about tables vs. lists. X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.1 Reply-To: pf4freebsd@freelists.org List-Id: Technical discussion and general questions about packet filter (pf) List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Date: Thu, 16 Sep 2004 03:52:17 -0000 X-Original-Date: Mon, 29 Sep 2003 11:27:54 -0400 X-List-Received-Date: Thu, 16 Sep 2004 03:52:17 -0000 I'm brand new to pf and though I have a pretty good handle on it, would like to make sure that I am making wise decisions as I move toward more complex configuration. Though I did play around with some rulesets which used list expansion in rules, my current ruleset uses tables for everything (except for one each of { tcp, udp } and { http, https } in-line). In particular, I have several tables which are likely to change over time, but should not typically change very often - weekly or monthly. The tables in question currently have 3-5 entries, and should not grow beyond 10-20 entries. I prefer the additional information that I can easily grab from pfctl for tables, and also like the more modular design. I am unsure, however, about the relative costs of table lookup vs. the increase in rule count that the use of a list would incur. Are there any compelling reasons to use lists instead of tables for small sets? Since that total number of tables is likely to remain fairly small, I don't consider the up front memory cost for a small table to be compelling. For example: wanbad =3D " 0.0.0/8, 10.0.0.0/8, 20.20.20.0/24, \ 127.0.0.0/8, 169.254.0.0/16, 172.16.0.0/13, \ 192.0.2.0/24, 192.168.0.0/16, 204.152.64.0/23, \ 224.0.0.0/3, 255.255.255.255/32 \ " table const { $wanbad, $qnet } table const { $qnet, $unet } table persist { fw, fw-gate, ns } table persist { jail1 jailtest } table persist { jail1, jailtest, laptop } table persist { bonehed.lcs.mit.edu, clock.nyc.he.net,=20 ntp.ourconcord.net } table { jail1, fw, fw-gate, jailtest, ns } ..... block in log quick on $wan from label "spoof" block in log quick on $wan from no-route label "unroutable:$srcaddr" block out quick on $wan to ..... pass in log quick on $wan proto tcp to port smtp \ flags S/SA keep state label "mail" pass in log quick on $wan proto tcp to port { http, https } \ keep state label "web"