Re: URGENT?

2014-03-22 Thread Julian Elischer 

On 3/22/14, 8:11 AM, RW wrote:

On Sat, 22 Mar 2014 08:48:40 -0600
Brett Glass wrote:


This is correct. And that's awkward, because you might not want all of
these checks in one place. Also, if there are many dynamic rules this
will slow traffic down quite a bit.


in ipfw that's up to you..
but I usually put the check-state quite early in my rule sets.
I am working on a new rc.firewall that is much more efficient.
the trouble is that the script to make it do what I want is a bit more 
complicated.

I'll put it out for discussion later. maybe tonight.


It should be the other way around. Once a flow has been learned it's
just a simple hash-table lookup once you hit the first stateful rule.
In pf most packets bypass the rules altogether.
___
freebsd-secur...@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscr...@freebsd.org"



___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"

Re: ipfw dynamic rules

2014-03-22 Thread Julian Elischer 


 reposting with a useful subject line and more comments

On 3/22/14, 10:33 PM, Julian Elischer wrote:


in ipfw that's up to you..
but I usually put the check-state quite early in my rule sets.


On 3/22/14, 1:34 AM, Ian Smith wrote:

Firstly, that's the one page in the handbook (that I know of) that needs
completely nuking.  It contains many factual errors as well as weird
notions, and will only tend to mislead you; consult ipfw(8) and prosper.
I'd say refer to the examples in rc.firewall but it too is in disrepair.


I am working on a new rc.firewall that is much more efficient.
the trouble is that the script to make it do what I want is a bit more 
complicated.

I'll put it out for discussion later. maybe tonight.

as for the handbook pages.. after we see how the new firewall rules work
we can see about rewriting the page.

___
freebsd-ipfw@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-ipfw
To unsubscribe, send any mail to "freebsd-ipfw-unsubscr...@freebsd.org"