[prev in list] [next in list] [prev in thread] [next in thread]
List: ipfilter
Subject: Cost of a negation rule
From: "a b" <tripivceta () hotmail ! com>
Date: 2006-01-29 10:47:43
Message-ID: BAY108-F38B38109E304B821C0C81FDC160 () phx ! gbl
[Download RAW message or body]
Hopefully a simple question:
I have a ruleset with six or more rules that could effectively be solved
with two, three negation rules at most in ipf.conf.
However, coming from a FW-1 / NG backround, CheckPoint teaches us that
negation rules are very CPU expensive / intensive.
How about ipf? Is it more expensive to use a single negation rule in
ipf.conf, or is it faster to rewrite / expand the negation rule to multiple
rules?
My fear is that if I expand / rewrite the negation rule, I may miss
something and thereby create a security hole, whereby a negation rule would
cover everything.
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic