Firewall Wizards mailing list archives
Re: [FW1] How many rules can exists in fw1 ?
From: Vern Paxson <vern () ee lbl gov>
Date: Sat, 19 Sep 1998 20:33:17 PDT
... This means the amount of Inspect code is probably directly proportional to the overhead the firewall is going to experience each time it needs to analyze traffic. In short, make it concise, since more rules may slow down your firewall.
I don't know about Inspect in particular, but there are finite-automaton
style matchers that don't significantly increase in overhead as you add
more rules. See this year's SIGCOMM proceedings for two papers on fast
matching:
High Speed Policy-based Packet Forwarding Using Efficient
Multi-dimensional Range Matching, T.V. Lakshman and D. Stiliadis
Fast Scalable Algorithms for Level Four Switching,
V. Srinivasan, George Varghese, Subash Suri, Marcel Waldvogel
Abstracts (and perhaps full papers) should be available off of:
http://www.acm.org/sigcomm/sigcomm98/
- Vern
Current thread:
- RE: [FW1] How many rules can exists in fw1 ? Jennifer Galvin (Sep 19)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 22)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- <Possible follow-ups>
- Re: [FW1] How many rules can exists in fw1 ? Vern Paxson (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 24)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)