Date: Sat, 8 Jan 2000 09:08:29 +0100 (CET) From: Luigi Rizzo <luigi@info.iet.unipi.it> To: "Rodney W. Grimes" <freebsd@gndrsh.dnsmgr.net> Cc: Patrick Bihan-Faou <patrick@mindstep.com>, Harold Gutch <logix@foobar.franken.de>, freebsd-current@FreeBSD.ORG, Nate Williams <nate@mt.sri.com> Subject: Re: ipfw optimizations Message-ID: <200001080808.JAA09575@info.iet.unipi.it> In-Reply-To: <200001080031.QAA13581@gndrsh.dnsmgr.net> from "Rodney W. Grimes" at "Jan 7, 2000 04:31:00 pm"
next in thread | previous in thread | raw e-mail | index | archive | help
> clnsrv "allow " tcp "" 43 "${tcp_nicname_c}" "${tcp_nicname_s}"
> clnsrv "allow " tcp "" 53 "${tcp_domain_c}" "${tcp_domain_s}"
...
> ... on and on up to the 1024 and then a few splattered after that.
looks like the search path can become extremely long!.
> The single largest optimization would probably be a dispatch based on
> source or destination port, the latter being more prevelent.
ok... dispatch on ports is easy to implement, easier than dispatch
on (masked) IP's.
> I can't easily send out the actual IP firewall list, it may expose
> what ever router I grabbed it off of to an attack :-)
understand -- this is why i just asked only about the structure of the
ruleset and the length of the longest search path.
cheers
luigi
-----------------------------------+-------------------------------------
Luigi RIZZO, luigi@iet.unipi.it . Dip. di Ing. dell'Informazione
http://www.iet.unipi.it/~luigi/ . Universita` di Pisa
TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy)
Mobile +39-347-0373137
-----------------------------------+-------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-current" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200001080808.JAA09575>