Re: NPF tuning

To: Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost>
Subject: Re: NPF tuning
From: Mindaugas Rasiukevicius <rmind%netbsd.org@localhost>
Date: Tue, 17 Jan 2017 20:03:46 +0000

Hauke Fath <hauke%Espresso.Rhein-Neckar.DE@localhost> wrote:
> On Sun, 15 Jan 2017 23:19:34 +0100, Manuel Bouyer wrote:
> > 240 is still not that much. I used to have more than 2000 rules with
> > ipf (before we replaced this box with a cisco).
> 
> It is even worse because npf has many restrictions compared to {i,}pf 
> that lead to rule duplication.
> 

You can always fall back to pcap-filter in NPF, e.g.:

	pass in final pcap-filter "tcp and src 10.0.0.1"

This gives you tcpdump syntax.  Also, use tables whenever possible.

-- 
Mindaugas

Follow-Ups:
- Re: NPF tuning
  - From: Hauke Fath

References:
- NPF tuning
  - From: Egerváry Gergely
- Re: NPF tuning
  - From: Mindaugas Rasiukevicius
- Re: NPF tuning
  - From: Egerváry Gergely
- Re: NPF tuning
  - From: Manuel Bouyer
- Re: NPF tuning
  - From: Hauke Fath

Prev by Date: Re: blacklistd and IPv6 mapped IPv4 addresses
Next by Date: Re: NPF tuning
Previous by Thread: Re: NPF tuning
Next by Thread: Re: NPF tuning
Indexes:

Home | Main Index | Thread Index | Old Index