On 3/22/14, 8:11 AM, RW wrote:
On Sat, 22 Mar 2014 08:48:40 -0600
Brett Glass wrote:
This is correct. And that's awkward, because you might not want all of
these checks in one place. Also, if there are many dynamic rules this
will slow traffic down quite a bit.
in ipfw that's up to you..
but I usually put the check-state quite early in my rule sets.
I am working on a new rc.firewall that is much more efficient.
the trouble is that the script to make it do what I want is a bit more
complicated.
I'll put it out for discussion later. maybe tonight.
It should be the other way around. Once a flow has been learned it's
just a simple hash-table lookup once you hit the first stateful rule.
In pf most packets bypass the rules altogether.
_______________________________________________
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"
_______________________________________________
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"
