On Sun, 19 Jan 2003, Darren Pilgrim wrote:
[snip-a-bit]
DP> > By the way, is (moderately complex) aggregated rule faster than mix of simple
DP> > rules? (for now, we drop accounting issues)
DP> >
DP> I'm not sure if the {a.b.c.0/24 or e.f.g.0/20} part is valid, but in theory
DP> this rule should require fewer ops on average than 8 seperate rules. What I
DP> meant when I said aggregate is that if you have a contiguous block of IPs,
DP> say 1.2.3.1 through 1.2.3.63, most need ports 22, 25, 80, and 443 open, then
DP> create one rule:
DP>
DP> pass tcp from any to 1.2.3.0/26 22,25,80,443
Yeah, I suppose we both got the point ;-)
The only side note I have for now is: it would be _extremely_ useful to
describe firewall tuning either in firewall.7 or security.7 or even excplicit
manpage as well as bring it under attention into the Handbook. However, not
being native speaker and/or kernel deep-knowledge-man, /me just silently
crouches into his corner ;-)
Anyway, thank you all the Crew and congrats for 5.0 releasing!
Sincerely,
D.Marck [DM5020, DM268-RIPE, DM3-RIPN]
------------------------------------------------------------------------
*** Dmitry Morozovsky --- D.Marck --- Wild Woozle --- [EMAIL PROTECTED] ***
------------------------------------------------------------------------
To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-hackers" in the body of the message
