Hi,
how does function the Firewall Ruleset Optimization command? Follow the man of set ruleset-optimizan from pf.conf:
basic --> Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations:
1. remove duplicate rules
2. remove rules that are a subset of another rule
3. combine multiple rules into a table when advantageous
4. reorder the rules to improve evaluation performance
none --> Disable the ruleset optimizer.
profile --> Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.
It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers.
Optimization can also be set as a command-line argument to pfctl, overriding the settings in pf.conf.
I try to clone some rules in LAN ruleset and in Firewall --> Advanced Settings --> Miscellaneous, the basic Firewall Rules Optimization is set. When I reload all fw services, the ruleset is the same. Why?
Thanks in advance.
Antonio
Hi Antonio,
There was an informative thread very recently about this topic.
Cheers,
Franco
PS: https://forum.opnsense.org/index.php?topic=18964.0
Thanks a lot Franco!
Someone could tell me if is there an equivalent pf.conf file for OPNSense? Is it /tmp/rules.debug?
Yes, that file is the generated pf file which afterwards is loaded into the kernel.
Thank you very much. I have another question:
The number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>) is grather than the number of rules obtained through pfctl -s rules. Why?
I'm just considering the default ruleset.