Hopefully a simple question:
I have a ruleset with six or more rules that could effectively be solved
with two, three negation rules at most in ipf.conf.
However, coming from a FW-1 / NG backround, CheckPoint teaches us that
negation rules are very CPU expensive / intensive.
How about ipf? Is it more expensive to use a single negation rule in
ipf.conf, or is it faster to rewrite / expand the negation rule to multiple
rules?
My fear is that if I expand / rewrite the negation rule, I may miss
something and thereby create a security hole, whereby a negation rule would
cover everything.
