On 3/22/14, 8:11 AM, RW wrote: > On Sat, 22 Mar 2014 08:48:40 -0600 > Brett Glass wrote: > >> This is correct. And that's awkward, because you might not want all of >> these checks in one place. Also, if there are many dynamic rules this >> will slow traffic down quite a bit. in ipfw that's up to you.. but I usually put the check-state quite early in my rule sets. I am working on a new rc.firewall that is much more efficient. the trouble is that the script to make it do what I want is a bit more complicated. I'll put it out for discussion later. maybe tonight. > It should be the other way around. Once a flow has been learned it's > just a simple hash-table lookup once you hit the first stateful rule. > In pf most packets bypass the rules altogether. > _______________________________________________ > [email protected] mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-security > To unsubscribe, send any mail to "[email protected]" > _______________________________________________ [email protected] mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-security To unsubscribe, send any mail to "[email protected]"