freebsd 8

Kurt Turner kturner at absolutenetworks.biz
Fri Jan 8 15:00:36 UTC 2010 

Thank you all for your help.



> Le 08.01.2010 12:14, Peter Maxwell a écrit :
>
>  2010/1/8 Olivier Thibault <Olivier.Thibault at lmpt.univ-tours.fr>:
>>
>>> Le 08.01.2010 11:31, Peter Maxwell a écrit :
>>>
>>>> 2010/1/8 Olivier Thibault <Olivier.Thibault at lmpt.univ-tours.fr>:
>>>>
>>>>  # keep stats of outging connections
>>>>>> pass out keep state
>>>>>>
>>>>> This rule allows everything out and next outgoing rules won't be
>>>>> checked
>>>>> as
>>>>> this one first match.
>>>>>
>>>> That's incorrect, pf does the opposite and uses the *last* match - at
>>>> least that's what the documentation says...
>>>> http://www.openbsd.org/faq/pf/filter.html
>>>>
>>>> The quick keyword is used for shortcut evaluation.
>>>>
>>> Yes ! Actually, all the following rules in my pf.conf use this keyword.
>>> That's why I said that.
>>> I suppose the rules evaluation is quicker this way but I may be wrong.
>>> Am I ?
>>>
>>
>> Erm, mostly wrong... it wouldn't improve performance if even a
>> majority of your rules use it, in that case all you've done is change
>> last match processing to first match processing.
>>
>> If when pf is actually processing packets (this is not the same as
>> loading your rule set), lets assume that the packets are evaluated
>> against each rule in a sequential manner.   With that assumption,
>> having most of your rules *without* the quick keyword then only use
>> quick for those rules near the top of your ruleset that process a
>> large amount of new connections (again, not synonymous with traffic -
>> it's new connections that matter), in that case you may see a
>> performance improvement.  For example, say you have a complex ruleset
>> but lots of incoming connections on port 80 - then using the quick
>> keyword and placing the rule near the top of your ruleset may improve
>> things.
>>
>> However, that assumes pf goes through the rules in a sequential manner
>> when actually processing packets - that may not be true.  My advice
>> would be to put a single 'block all' rule at the top, then have the
>> remainder of your rules doing 'pass': it is much much easier to read
>> and debug.  What is more valuable to you, saving hours on debuging a
>> firewall box or a 2% performance improvement?  It is also unlikely
>> you'd be getting enough traffic to warrant the use of 'quick' ;-)
>>
>> Most other packet filters/firewalls I've used use match first.
>> Logically using match last is no different (you essentially just write
>> your rule set upside-down), but it is actually my preference.
>>
>
>
> --
> Olivier THIBAULT
> Université François Rabelais - UFR Sciences et Techniques
> Laboratoire de Mathématiques et Physique Théorique (UMR CNRS 6083)
> Service Informatique de l'UFR
> Parc de Grandmont
> 37200 Tours - France
> Email: olivier.thibault at lmpt.univ-tours.fr
> Tel:     (33)(0)2 47 36 69 12
> Fax:     (33)(0)2 47 36 70 68
> Mobile : (33)(0)6 62 60 80 44
>
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>

More information about the freebsd-pf mailing list