Specifically, the more rules each packet has to go through before matching an
'allow' line, the more packet delay. A ten line filter is actually pretty long,
but if you can craft the filter so that most of the packets match on one of the
first lines, by using:
permit 0.0.0.0/0 0.0.0.0/0 tcp estab
Then the number of additional rules, that most packets never see, won't
be an issue- ComOS uses 'short circuit' rule evaluation.
BTW, if you are setting up filters on .in for dialup users, you should strongly
consider including 'anti-spoofing' rules, only allowing users to originate
packets with a legitimate source address- in the case of dynamically assigned
IPs, you'd need to set the filter to allow any user to originate any address
from within that Portmaster's pool.
If you're using assigned IP addresses and routing subnets to customers,
We're almost finished with a little (free) PERL utility to read the 'users'
file and generate anti-spoofing Choicenet filters for each user.
-
To unsubscribe, email 'majordomo@livingston.com' with
'unsubscribe portmaster-users' in the body of the message.
Searchable list archive: <URL:http://www.livingston.com/Tech/archive/>