Date: Sun, 25 Nov 2001 16:23:53 +0100 From: "Matus \"fantomas\" Uhlar" <uhlar@fantomas.sk> To: freebsd-questions@freebsd.org Subject: ipfirewall optimalizations Message-ID: <20011125162353.A24468@fantomas.sk>
next in thread | raw e-mail | index | archive | help
Hello, I am just setting quite complicated firewall using ipfw; I want to restrict some tcp and udp services to accept only on some local IP's and only from some ip ranges. I'd like to know if it's good idea to 'optimize' it by jumping between rules this way: 100 skipto 1000 tcp from any to any {port1} in 200 skipto 2000 tcp from any to any {port2} in 999 allow ip from any to any 1000 skipto 10000 tcp from any to {local_ip_1} 1001 deny ip from any to any 2000 skipto 20000 tcp from any to {local_ip_2} 2001 deny ip from any to any 10000 allow ip from {ip_range_1} to any 10001 allow ip from {ip_range_2} to any 10002 deny ip from any to any 20000 allow ip from {ip_range_1} to any 20001 allow ip from {ip_range_2} to any 20002 deny ip from any to any Is jumping between rules fast enough? Is it better to do the jumping then try put all checks into one rule like this? 1000 allow ip from {ip_range_1} to {local_ip_1} {port1} in 1001 allow ip from {ip_range_1} to {local_ip_1} {port1} in 1002 deny ip from any to any {port1} in 2000 allow ip from {ip_range_1} to {local_ip_1} {port1} in 2001 allow ip from {ip_range_1} to {local_ip_1} {port1} in 2002 deny ip from any to any {port1} in btw I have much more rules. -- Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/ Warning: I don't wish to receive spam to this address. Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu. "Two words: Windows survives." - Craig Mundie, Microsoft senior strategist "So does syphillis. Good thing we have penicillin." - Matthew Alton To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011125162353.A24468>