On 8/11/2014 10:02 AM, PGNd wrote: > Given the simple /rules example > > #ACTION SOURCE DEST PROTO DEST > # PORT > ACCEPT net $FW tcp 1234 > ACCEPT net $FW udp 5678 > > Is there additional/further Shorewall 'shorthand' that should > 'better' consolidate. Something equivalent to, > > ACCEPT net $FW tcp:1234,udp:5678 > > perhaps ? > > My understanding suggests that it may not be worth worrying about, as > the written rules might only effect COMPILE time. > > The RUNTIME performance of the firewall would be dictated by the > OPTIMIZE level. In my case I've set it in shorewall.conf to > > OPTIMIZE=All > > How dependent is runtime performance on config file 'style'? Just > ignore it, and depend on the OPTIMIZEr to do its best?
There are a couple of shortcomings of Shorewall's current optimization:
a) It can't reorder rules based on frequency of match.
b) It doesn't detect all cases where adjacent rules could be
optimized by creating a separate chain.
You can handle the first case by looking at the output of 'shorewall
show' and re-order your rules in order of decreasing number of matches
(first column). The built-in chains can be re-ordered by changing the
order of the declarations in the zones file (be careful, though, if you
have nested zones).
Here's an example of the second case:
/etc/shorewall/rules:
ACCEPT net:a.b.c.d dmz:w.x.y.z tcp rsync
ACCEPT net:e.f.g.h dmz:w.x.y.z tcp rsync
ACCEPT net:i.j.k.l dmz:w.x.y.z tcp rsync
...
You can optimize this by:
/etc/shorewall/actions
rsync
/etc/shorewall/action.rsync
ACCEPT a.b.c.d
ACCEPT e.f.g.h
ACCEPT net:i.j.k.l
...
/etc/shorewall/rules:
rsync net dmz:w.x.y.z tcp rsync
With this alternative configuration, only rsync connection requests from
the net to w.x.y.z need to be compared against the list of allowed
remote hosts. In the original configuration, all net->dmz connection
requests that failed to match an earlier rule had to be compared.
Of course, this particular example can be made even more efficient by
using an ipset :-)
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
signature.asc
Description: OpenPGP digital signature
------------------------------------------------------------------------------
_______________________________________________ Shorewall-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/shorewall-users
