Date: Sun, 25 Nov 2001 16:23:53 +0100 From: "Matus \"fantomas\" Uhlar" <uhlar@fantomas.sk> To: freebsd-questions@freebsd.org Subject: ipfirewall optimalizations Message-ID: <20011125162353.A24468@fantomas.sk>
next in thread | raw e-mail | index | archive | help
Hello,
I am just setting quite complicated firewall using ipfw;
I want to restrict some tcp and udp services to accept only on some local
IP's and only from some ip ranges.
I'd like to know if it's good idea to 'optimize' it by jumping between rules
this way:
100 skipto 1000 tcp from any to any {port1} in
200 skipto 2000 tcp from any to any {port2} in
999 allow ip from any to any
1000 skipto 10000 tcp from any to {local_ip_1}
1001 deny ip from any to any
2000 skipto 20000 tcp from any to {local_ip_2}
2001 deny ip from any to any
10000 allow ip from {ip_range_1} to any
10001 allow ip from {ip_range_2} to any
10002 deny ip from any to any
20000 allow ip from {ip_range_1} to any
20001 allow ip from {ip_range_2} to any
20002 deny ip from any to any
Is jumping between rules fast enough? Is it better to do the jumping then
try put all checks into one rule like this?
1000 allow ip from {ip_range_1} to {local_ip_1} {port1} in
1001 allow ip from {ip_range_1} to {local_ip_1} {port1} in
1002 deny ip from any to any {port1} in
2000 allow ip from {ip_range_1} to {local_ip_1} {port1} in
2001 allow ip from {ip_range_1} to {local_ip_1} {port1} in
2002 deny ip from any to any {port1} in
btw I have much more rules.
--
Matus "fantomas" Uhlar, uhlar@fantomas.sk ; http://www.fantomas.sk/
Warning: I don't wish to receive spam to this address.
Varovanie: Nezelam si na tuto adresu dostavat akukolvek reklamnu postu.
"Two words: Windows survives." - Craig Mundie, Microsoft senior strategist
"So does syphillis. Good thing we have penicillin." - Matthew Alton
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20011125162353.A24468>