Firewall optimisation and aliases

Started by clarknova, July 27, 2021, 11:55:52 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
July 27, 2021, 11:55:52 PM
Maybe I'm splitting hairs here, but I don't know, so I'll ask. I have read the OpenBSD documentation and didn't find the answers I'm looking for, and digging into the code would likely leave me more confused.

When creating a firewall alias, is one of these better than the other in terms of economy of processing?

  • Type: Host; Content: 192.168.1.2, 192.168.1.3
  • Type: Network; Content: 192.168.1.2/31

I think for larger networks the intuitive answer is that the latter method is superior, I'm just wondering if the answer changes for a sufficiently small network.

Similarly, does the answer change if I have a mix of hosts and networks?

  • Type: Host; Content: 192.168.1.1, 192.168.1.2, 192.168.1.3, 192.168.1.4
  • Type: Network; Content: 192.168.1.1, 192.168.1.2/31, 192.168.1.4

Maybe a better question would be how OPNsense expands aliases like these when creating actual pf rulesets. Then a person could draw their own conclusions when deciding how to craft their aliases.
July 28, 2021, 09:31:09 AM #1
You can see the table contents from the pfTable diagnostics page. There is also network ranges (IP-IP) and negation (!IP) to play with.

From what I can tell ranges are converted into subnets and stray /32 addresses internally.


Cheers,
Franco
Print
Go Up Pages1
User actions