[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: pf efficiency
On Jan 20, 2005, at 4:13 PM, MauroTablo' wrote:
My Openbsd+pf based firewall has about 90 forward filtering rules, for
packets (about 30 rules), udp datagram (about 40 rules) and icmp
(about 20 rules). Every rule looks like: "block in proto xxx from any
port = zzz", where xxx is the protocol type.
Suppose that a transit tcp packet comes into my firewall.
The question is: pf confronts the TCP packet with all my 90 rules, or
confronts the packet ONLY WITH those rules (about 30) written for tcp
packets ("proto tcp")?
In other words, is there a function in pf that looks up to the
of a transit packet and decides which rules to confront the packet
PF uses a method referred to as "skip steps" which is just an easy way
of referring to the algorithms which only select those filters that are
relevant to the packet being analyzed. I can't seem to find any
reference to it in the man pages or PF FAQ, but I found a good
explanation from the following document. I believe the information
regarding skip steps is still accurate, but I'll have to defer to the