From owner-freebsd-hackers Tue Jan 21 14:59: 1 2003 Delivered-To: freebsd-hackers@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 33EB137B401 for ; Tue, 21 Jan 2003 14:59:00 -0800 (PST) Received: from woozle.rinet.ru (woozle.rinet.ru [195.54.192.68]) by mx1.FreeBSD.org (Postfix) with ESMTP id 045D343ED8 for ; Tue, 21 Jan 2003 14:58:59 -0800 (PST) (envelope-from marck@rinet.ru) Received: from localhost (localhost [127.0.0.1]) by woozle.rinet.ru (8.12.5/8.12.5) with ESMTP id h0LMwtTJ078790; Wed, 22 Jan 2003 01:58:56 +0300 (MSK) (envelope-from marck@rinet.ru) Date: Wed, 22 Jan 2003 01:58:55 +0300 (MSK) From: Dmitry Morozovsky To: Darren Pilgrim Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? In-Reply-To: <3E2B4953.7060008@pantherdragon.org> Message-ID: <20030122015428.E77616@woozle.rinet.ru> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org> <20030119001015.S46739@woozle.rinet.ru> <3E2B4953.7060008@pantherdragon.org> X-NCC-RegID: ru.rinet MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Sun, 19 Jan 2003, Darren Pilgrim wrote: [snip-a-bit] DP> > By the way, is (moderately complex) aggregated rule faster than mix of simple DP> > rules? (for now, we drop accounting issues) DP> > DP> I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory DP> this rule should require fewer ops on average than 8 seperate rules. What I DP> meant when I said aggregate is that if you have a contiguous block of IPs, DP> say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then DP> create one rule: DP> DP> pass tcp from any to 1.2.3.0/26 22,25,80,443 Yeah, I suppose we both got the point ;-) The only side note I have for now is: it would be _extremely_ useful to describe firewall tuning either in firewall.7 or security.7 or even excplicit manpage as well as bring it under attention into the Handbook. However, not being native speaker and/or kernel deep-knowledge-man, /me just silently crouches into his corner ;-) Anyway, thank you all the Crew and congrats for 5.0 releasing! Sincerely, D.Marck [DM5020, DM268-RIPE, DM3-RIPN] ------------------------------------------------------------------------ *** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru *** ------------------------------------------------------------------------ To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message