Home
Help
Search
Login
Register
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Firewall Rules Optimization
« previous
next »
Print
Pages: [
1
]
Author
Topic: Firewall Rules Optimization (Read 3813 times)
iMac-ant
Newbie
Posts: 11
Karma: 0
Firewall Rules Optimization
«
on:
September 10, 2020, 10:47:08 am »
Hi,
how does function the Firewall Ruleset Optimization command? Follow the man of set ruleset-optimizan from pf.conf:
basic --> Enable basic ruleset optimization. This is the default behaviour. Basic ruleset optimization does four things to improve the performance of ruleset evaluations:
1. remove duplicate rules
2. remove rules that are a subset of another rule
3. combine multiple rules into a table when advantageous
4. reorder the rules to improve evaluation performance
none --> Disable the ruleset optimizer.
profile --> Uses the currently loaded ruleset as a feedback profile to tailor the ordering of quick rules to actual network traffic.
It is important to note that the ruleset optimizer will modify the ruleset to improve performance. A side effect of the ruleset modification is that per-rule accounting statistics will have different meanings than before. If per-rule accounting is important for billing purposes or whatnot, either the ruleset optimizer should not be used or a label field should be added to all of the accounting rules to act as optimization barriers.
Optimization can also be set as a command-line argument to pfctl, overriding the settings in pf.conf.
I try to clone some rules in LAN ruleset and in Firewall --> Advanced Settings --> Miscellaneous, the basic Firewall Rules Optimization is set. When I reload all fw services, the ruleset is the same. Why?
Thanks in advance.
Antonio
«
Last Edit: September 10, 2020, 10:49:49 am by iMac-ant
»
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Firewall Rules Optimization
«
Reply #1 on:
September 10, 2020, 11:10:02 am »
Hi Antonio,
There was an informative thread very recently about this topic.
Cheers,
Franco
Logged
franco
Administrator
Hero Member
Posts: 17661
Karma: 1611
Re: Firewall Rules Optimization
«
Reply #2 on:
September 10, 2020, 11:11:04 am »
PS:
https://forum.opnsense.org/index.php?topic=18964.0
Logged
iMac-ant
Newbie
Posts: 11
Karma: 0
Re: Firewall Rules Optimization
«
Reply #3 on:
September 10, 2020, 11:49:56 am »
Thanks a lot Franco!
Logged
iMac-ant
Newbie
Posts: 11
Karma: 0
Re: Firewall Rules Optimization
«
Reply #4 on:
September 10, 2020, 12:26:51 pm »
Someone could tell me if is there an equivalent pf.conf file for OPNSense? Is it /tmp/rules.debug?
«
Last Edit: September 10, 2020, 12:29:11 pm by iMac-ant
»
Logged
fabian
Moderator
Hero Member
Posts: 2769
Karma: 200
OPNsense Contributor (Language, VPN, Proxy, etc.)
Re: Firewall Rules Optimization
«
Reply #5 on:
September 12, 2020, 08:20:48 pm »
Yes, that file is the generated pf file which afterwards is loaded into the kernel.
Logged
iMac-ant
Newbie
Posts: 11
Karma: 0
Re: Firewall Rules Optimization
«
Reply #6 on:
September 16, 2020, 03:49:15 pm »
Thank you very much. I have another question:
The number of rules in /tmp/rules.debug (starting from antispoof lof for <interface>) is grather than the number of rules obtained through pfctl -s rules. Why?
I'm just considering the default ruleset.
Logged
Print
Pages: [
1
]
« previous
next »
OPNsense Forum
»
English Forums
»
Development and Code Review
(Moderator:
fabian
) »
Firewall Rules Optimization