Date: Sun, 19 Jan 2003 00:14:50 +0300 (MSK) From: Dmitry Morozovsky <marck@rinet.ru> To: Darren Pilgrim <dmp@pantherdragon.org> Cc: freebsd-hackers@FreeBSD.ORG Subject: Re: FreeBSD firewall for high profile hosts - waste of time ? Message-ID: <20030119001015.S46739@woozle.rinet.ru> In-Reply-To: <3E2738BA.4090806@pantherdragon.org> References: <20030116124254.J9642-100000@mail.econolodgetulsa.com> <3E2738BA.4090806@pantherdragon.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, 16 Jan 2003, Darren Pilgrim wrote:
DP> There is sorting that you can do, like putting the highest-traffic rules
DP> near the top. ipfw terminates the search on the first matching rule except
DP> for count and skipto. Also, the fewer items that have to be checked the
DP> faster the rule is. Perhaps there is some aggregation that can be done with
DP> the rules themselves?
By the way, is (moderately complex) aggregated rule faster than mix of simple
rules? (for now, we drop accounting issues)
So, will
permit tcp from {a.b.c.0/24 or e.f.g.0/20} to any 22,25,80,443 setup
perform measurably better than set of 8 corresponding rules?
Sincerely,
D.Marck [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- marck@rinet.ru ***
------------------------------------------------------------------------
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20030119001015.S46739>