Just to update the fine folks who answered me on and off the lists... [netbsd - tech-net and ipf]
I subdivided the rule sets into 256 subnets (less actually because many were empty and hence not listed at all.) which means no packet needs to match more than about 1000 rules to fully traverse the full 20,000+ rule ipf rule-set.
[SNIP]
I got several impatient suggestions to just try stuff, but I only have one firewall and everytime I crash it I have to explain to my family why they can't get to Google! 8-) So I probably asked a few too many things I could determine by trial and error...
Woah. Your HOME firewall has 20,000 rules?! That seems a bit extreme for a home network.
-- Phil Dibowitz [EMAIL PROTECTED] Freeware and Technical Pages Insanity Palace of Metallica http://www.phildev.net/ http://www.ipom.com/
"They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." - Benjamin Franklin, 1759
signature.asc
Description: OpenPGP digital signature
