Quantcast
Viewing all articles
Browse latest Browse all 16039

Beginner Basics • Re: Improve firewall

Consider this: firewall has to try to match every matching criteria of a rule before it can conclude whether to execute it or pass it (OK, it might stop matching if one criterium doesn't match as all criteria has to match for rule to execute). And let's say each simple matching costs the same (e.g. 1 something) while complex matching is more expensive ... in the alternative rule it may have to match against 4 different dst-port numbers, so let's say the cost is 4 somethings (I'd be disapointed if the cost is really that high, matching might be optimized, but I'm considering this estimate worst case).

So the cost of each of simple rules is 3 somethings (possibly much more as there's matching against address list, plus there's matching against protocol and against single dst-port). You have 4 such rules, so total cost for packets not matching any if them will be 12 somethings (possibly much more due to address-list).
The cost of single complex rule is around 6 somethings (matching against ptotocol, 4 matchings against dst-port and matching against address-list), possibly more (if matching against address-list proved more expensive) but the increase is not proportional to number of ports in the matching list.

So it's 12 (plus 4x something) versus 6 (plus 1x something).

The only drawback of the "combined" rule is if one wants to change only one detail ... e.g. if SSH server is migrated to another IP address, which means adding entirely new rule (vs. adjusting existing rule in case of multiple simple rules).

Statistics: Posted by mkx — Sat Jan 27, 2024 3:29 pm



Viewing all articles
Browse latest Browse all 16039

Trending Articles