Date: Sun, 28 Mar 1999 14:44:47 +0200 (MET DST) From: Luigi Rizzo <luigi@labinfo.iet.unipi.it> To: jmb@hub.freebsd.org (Jonathan M. Bresler) Cc: housley@frenchknot.ne.mediaone.net, noor@NetVision.net.il, freebsd-hackers@FreeBSD.ORG Subject: Re: ipfw behavior, is it normal? Message-ID: <199903281244.OAA03534@labinfo.iet.unipi.it> In-Reply-To: <19990328145315.C71D514D61@hub.freebsd.org> from "Jonathan M. Bresler" at Mar 28, 99 06:52:56 am
next in thread | previous in thread | raw e-mail | index | archive | help
Re. the problem with ipfw configurations... should we add another instruction to ipfw <action> <proto> between A and B ... to ease life in configuring firewalls ? Performance of a ruleset will be only marginally improved, but having simpler rules will indirectly make configurations more secure by reducing mistakes. From the implementation point of view i think it is just one more flag and replicating the four "if (...) continue" which check addresses and ports. Performancewise, there is almost no saving because the only checks that we save (those on interfaces) almost never apply for bidirectional case. cheers luigi -----------------------------------+------------------------------------- Luigi RIZZO . EMAIL: luigi@iet.unipi.it . Dip. di Ing. dell'Informazione HTTP://www.iet.unipi.it/~luigi/ . Universita` di Pisa TEL/FAX: +39-050-568.533/522 . via Diotisalvi 2, 56126 PISA (Italy) -----------------------------------+------------------------------------- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199903281244.OAA03534>