Firewall Rules Optimization

Started by iMac-ant, September 10, 2020, 10:47:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions
September 10, 2020, 10:47:08 AM Last Edit: September 10, 2020, 10:49:49 AM by iMac-ant
Hi,

how does function the Firewall Ruleset Optimization command? Follow the man of set ruleset-optimizan from pf.conf:

basic -->    Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations:

        1. remove duplicate rules
        2. remove rules that are a subset of another rule
        3. combine multiple rules into a table when advantageous
        4. reorder the rules to improve evaluation performance

none --> Disable the ruleset optimizer.
profile --> Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.

It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers.

Optimization can also be set as a command-line argument to pfctl, overriding the settings in pf.conf.


I try to clone some rules in LAN ruleset and in Firewall --> Advanced Settings --> Miscellaneous, the basic Firewall Rules Optimization is set. When I reload all fw services, the ruleset is the same. Why?

Thanks in advance.

Antonio
September 10, 2020, 11:10:02 AM #1
Hi Antonio,

There was an informative thread very recently about this topic.


Cheers,
Franco
September 10, 2020, 11:11:04 AM #2
September 10, 2020, 11:49:56 AM #3
Thanks a lot Franco!
September 10, 2020, 12:26:51 PM #4 Last Edit: September 10, 2020, 12:29:11 PM by iMac-ant
Someone could tell me if is there an equivalent pf.conf file for OPNSense? Is it /tmp/rules.debug?
September 12, 2020, 08:20:48 PM #5
Yes, that file is the generated pf file which afterwards is loaded into the kernel.
September 16, 2020, 03:49:15 PM #6
Thank you very much. I have another question:

The number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>)  is grather than the number of rules obtained through pfctl -s rules. Why?

I'm just considering the default ruleset.

Print
Go Up Pages1
User actions