Since I have a lot of rules, if I get the attackers into a table and use
a block quick on it, pf won't have to run through all the rules for it.
Now for every packet the attacker sends, pf have to run it through all
the rules.
The main difference is to be able to use a quick rule, i don't know for
sure how much resources pf uses to fit a packet on all rules, but maybe
a 10k pkts/s attack will drain some resources if pf needs to see all
those rules, if i can get this attack into a table on the first 1k
packets, a quick rule will apply to it, lowering the load on the
firewall (maybe?).
Stefan Schulze Frielinghaus wrote:
But what benefit do you expect to get when you block it via a
max-src-conn-rate/overload rule or directly via a (default) block rule?
In either way you will block the packet.
On Fri, 2008-02-29 at 16:49 -0300, Vinicius Vianna wrote:
The problem is that these attacks aren't on any pass rule, they are on
ports that my firewall doesn't permit, so the packet will go to the
block rule, and i can't use these overload rules with block can I?
