Firewall optimisation and aliases

[clarknova]

Maybe I'm splitting hairs here, but I don't know, so I'll ask. I have read the OpenBSD documentation and didn't find the answers I'm looking for, and digging into the code would likely leave me more confused.

When creating a firewall alias, is one of these better than the other in terms of economy of processing?

• Type: Host; Content: 192.168.1.2, 192.168.1.3
• Type: Network; Content: 192.168.1.2/31

I think for larger networks the intuitive answer is that the latter method is superior, I'm just wondering if the answer changes for a sufficiently small network.

Similarly, does the answer change if I have a mix of hosts and networks?

• Type: Host; Content: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4
• Type: Network; Content: 192.168.1.1, 192.168.1.2/31, 192.168.1.4

Maybe a better question would be how OPNsense expands aliases like these when creating actual pf rulesets. Then a person could draw their own conclusions when deciding how to craft their aliases.

[franco]

You can see the table contents from the pfTable diagnostics page. There is also network ranges (IP-IP) and negation (!IP) to play with.

From what I can tell ranges are converted into subnets and stray /32 addresses internally.


Cheers,
Franco