[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re:



Well, in such a small ruleset it won't really make bugger all of a
difference. However, I assume this is an example of a principle you are
using in a much larger set.
With that in mind, I would opt to use the quick keyword. Everywhere I
have read suggests using "quick" especially in large rulesets. Using
quick as soon as you have matched a packet you want to let through or
kick allows pf to move onto the next packet straight away. 
The additional benefit is that it is clearer to see what is happening.
That is, without "quick" used, you trace a packet through and have to
remember each rule it matches and overwrite the actions with actions
from rules that match later on down the track.
Anyway, there you go.
andrew
 --- Björn Ketelaars <[email protected]> wrote: 
> Hello,
> 
> I?m trying to grasp the following two blocks of rules. If I
> understand
> correctly the main difference is that the first block of rules
> dismisses
> priv_nets by means of a drop, which means that the package is not
> checked
> by the following rules and in the second set of rules priv_net is
> checked
> until the end (and blocked).
> 
> But which set is more efficient?
> 
> # external interface ($ext_if)
> block all
> block drop in log quick on $ext_if from $priv_nets to any
> block drop out log quick on $ext_if from any to $priv_nets
> pass in on $ext_if inet proto tcp from any to ($ext_if) port $ext_tcp
> flags S/SA keep state
> pass in on $ext_if inet proto icmp from any to ($ext_if) icmp-type
> $ext_icmp keep state
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
> 
> # external interface ($ext_if)
> block all
> pass in on $ext_if inet proto tcp from !$priv_nets to ($ext_if) port
> $ext_tcp flags S/SA keep state
> pass in on $ext_if inet proto icmp from !$priv_nets to ($ext_if)
> icmp-type
> $ext_icmp keep state
> pass out on $ext_if from any to !$priv_nets keep state
> 
> Kind regards,
> 
> Björn
> 
>  
Find local movie times and trailers on Yahoo! Movies.
http://au.movies.yahoo.com