Skip site navigation (1)Skip section navigation (2) 
Date:      Wed, 22 Jan 2003 01:58:55 +0300 (MSK)
From:      Dmitry Morozovsky <marck@rinet.ru>
To:        Darren Pilgrim <dmp@pantherdragon.org>
Cc:        freebsd-hackers@FreeBSD.ORG
Subject:   Re: FreeBSD firewall for high profile hosts - waste of time ?
Message-ID:  <20030122015428.E77616@woozle.rinet.ru>
In-Reply-To: <3E2B4953.7060008@pantherdragon.org>
References:  <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org> <20030119001015.S46739@woozle.rinet.ru> <3E2B4953.7060008@pantherdragon.org>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Sun, 19 Jan 2003, Darren Pilgrim wrote:

[snip-a-bit]
DP> > By the way, is (moderately complex) aggregated rule faster than mix of simple
DP> > rules? (for now, we drop accounting issues)
DP> >
DP> I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory
DP> this rule should require fewer ops on average than 8 seperate rules.  What I
DP> meant when I said aggregate is that if you have a contiguous block of IPs,
DP> say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then
DP> create one rule:
DP>
DP> pass tcp from any to 1.2.3.0/26 22,25,80,443

Yeah, I suppose we both got the point ;-)

The only side note I have for now is: it would be _extremely_ useful to
describe firewall tuning either in firewall.7 or security.7 or even excplicit
manpage as well as bring it under attention into the Handbook. However, not
being native speaker and/or kernel deep-knowledge-man, /me just silently
crouches into his corner ;-)


Anyway, thank you all the Crew and congrats for 5.0 releasing!


Sincerely,
D.Marck                                   [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030122015428.E77616>