[prev in list] [next in list] [prev in thread] [next in thread] 

List:       ipfilter
Subject:    Cost of a negation rule
From:       "a b" <tripivceta () hotmail ! com>
Date:       2006-01-29 10:47:43
Message-ID: BAY108-F38B38109E304B821C0C81FDC160 () phx ! gbl
[Download RAW message or body]

Hopefully a simple question:

I have a ruleset with six or more rules that could effectively be solved 
with two, three negation rules at most in ipf.conf.

However, coming from a FW-1 / NG backround, CheckPoint teaches us that 
negation rules are very CPU expensive / intensive.

How about ipf? Is it more expensive to use a single negation rule in 
ipf.conf, or is it faster to rewrite / expand the negation rule to multiple 
rules?

My fear is that if I expand / rewrite the negation rule, I may miss 
something and thereby create a security hole, whereby a negation rule would 
cover everything.


[prev in list] [next in list] [prev in thread] [next in thread]