[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf efficiency



On Jan 20, 2005, at 4:13 PM, MauroTablo' wrote:

Hi all.
My Openbsd+pf based firewall has about 90 forward filtering rules, for tcp
packets (about 30 rules), udp datagram (about 40 rules) and icmp messages
(about 20 rules). Every rule looks like: "block in proto xxx from any to yyy
port = zzz", where xxx is the protocol type.
Suppose that a transit tcp packet comes into my firewall.
The question is: pf confronts the TCP packet with all my 90 rules, or it
confronts the packet ONLY WITH those rules (about 30) written for tcp
packets ("proto tcp")?
In other words, is there a function in pf that looks up to the protocol type
of a transit packet and decides which rules to confront the packet with?

PF uses a method referred to as "skip steps" which is just an easy way of referring to the algorithms which only select those filters that are relevant to the packet being analyzed. I can't seem to find any reference to it in the man pages or PF FAQ, but I found a good explanation from the following document. I believe the information regarding skip steps is still accurate, but I'll have to defer to the developers:


http://www.inebriated.demon.nl/pf-howto/pf-howto.txt


-- Jason Dixon DixonGroup Consulting http://www.dixongroup.net