[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: count rules?



On Wed, Oct 23, 2002 at 11:12:09PM +0300, Nikolay Denev wrote:
> What about simple "count" rules, that are to be inspected before the dynamic
> ruleset?
> If they are not so many probably there will be no significant performance
> impact. And they will make the traffic accounting much easier.
No, it's MUCH much much muchos very extremely better to count on the real
rules using rule labels. every packet that passes your firewall should
traverse a pass rule (you block by default, don't you.). It's just a matter
of defining your rules correctly.