From: [EMAIL PROTECTED] > Until recently I also pictured pf as feature complete. However, after > having had hands-on experience with writing a rule set with special > queueing of traffic directed to a (relative high) number of > unsucceeding > port numbers, I am annoyed with the limited tables in pf. In > my oppion > it would be really neat, if a table concept was introduced for ports, > possibly including protocol (tcp/udp) indication. That would make it > possible to optimize rules that try to match a high number of ports, > similar to the way rules that try to match a high number of host and > network addresses can be optimized using the existing tables. > > I'm striving to find out whether my idea is appropriate or > just nonsense. > > Maybe clever firewall design shouldn't need to match a high > number of ports?
Maybe a better-designed application wouldn't have to make use of such a clusterbag of ports in the first place? DS
