[pf4freebsd] Re: Question about tables vs. lists.
James Quick
jq at quick.com
Wed Sep 15 20:52:37 PDT 2004
Hi Max,
Thanks for responding.
On Sep 29, 2003, at 12:07 PM, Max Laier wrote:
>
> I prefer lists over tables when I have a small set of stable hosts or
> nets that I want to filter (=block). The reason for that is, that I
> somewhat "hardcode" it into my ruleset and that I can get per host
> output from pflog. I use tables only where I want a manageable solution
> and have fairly many addresses.
I'm not sure I understand what you mean by this statement.
If you meant pfctl instead of pflog then it makes sense to me.
Given two rules one of which uses a table, and another which
uses a list, wouldn't the stream of tcpdump packets written to
the pflog device be the same except for rule number?
If you really did mean pflog could you please elaborate?
> However, I don't believe that you will see much difference between a
> table- or list-powered ruleset for 10-20 addresses. Choose whatever
> approach is the more comfortable for you.
I did a lot of playing around, and you're right, performance does
not seem to be an issue. Thanks for the confirmation. I just
wanted to be sure that I wasn't going to step in anything later.
More information about the freebsd-pf
mailing list