Thank you all for your help.
> Le 08.01.2010 12:14, Peter Maxwell a écrit : > > 2010/1/8 Olivier Thibault <olivier.thiba...@lmpt.univ-tours.fr>: >> >>> Le 08.01.2010 11:31, Peter Maxwell a écrit : >>> >>>> 2010/1/8 Olivier Thibault <olivier.thiba...@lmpt.univ-tours.fr>: >>>> >>>> # keep stats of outging connections >>>>>> pass out keep state >>>>>> >>>>> This rule allows everything out and next outgoing rules won't be >>>>> checked >>>>> as >>>>> this one first match. >>>>> >>>> That's incorrect, pf does the opposite and uses the *last* match - at >>>> least that's what the documentation says... >>>> http://www.openbsd.org/faq/pf/filter.html >>>> >>>> The quick keyword is used for shortcut evaluation. >>>> >>> Yes ! Actually, all the following rules in my pf.conf use this keyword. >>> That's why I said that. >>> I suppose the rules evaluation is quicker this way but I may be wrong. >>> Am I ? >>> >> >> Erm, mostly wrong... it wouldn't improve performance if even a >> majority of your rules use it, in that case all you've done is change >> last match processing to first match processing. >> >> If when pf is actually processing packets (this is not the same as >> loading your rule set), lets assume that the packets are evaluated >> against each rule in a sequential manner. With that assumption, >> having most of your rules *without* the quick keyword then only use >> quick for those rules near the top of your ruleset that process a >> large amount of new connections (again, not synonymous with traffic - >> it's new connections that matter), in that case you may see a >> performance improvement. For example, say you have a complex ruleset >> but lots of incoming connections on port 80 - then using the quick >> keyword and placing the rule near the top of your ruleset may improve >> things. >> >> However, that assumes pf goes through the rules in a sequential manner >> when actually processing packets - that may not be true. My advice >> would be to put a single 'block all' rule at the top, then have the >> remainder of your rules doing 'pass': it is much much easier to read >> and debug. What is more valuable to you, saving hours on debuging a >> firewall box or a 2% performance improvement? It is also unlikely >> you'd be getting enough traffic to warrant the use of 'quick' ;-) >> >> Most other packet filters/firewalls I've used use match first. >> Logically using match last is no different (you essentially just write >> your rule set upside-down), but it is actually my preference. >> > > > -- > Olivier THIBAULT > Université François Rabelais - UFR Sciences et Techniques > Laboratoire de Mathématiques et Physique Théorique (UMR CNRS 6083) > Service Informatique de l'UFR > Parc de Grandmont > 37200 Tours - France > Email: olivier.thibault at lmpt.univ-tours.fr > Tel: (33)(0)2 47 36 69 12 > Fax: (33)(0)2 47 36 70 68 > Mobile : (33)(0)6 62 60 80 44 > > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org" > _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "freebsd-pf-unsubscr...@freebsd.org"
