How to PF Firewall Ruleset Optimization

Posted on in Categories Howto, OpenBSD last updated September 28, 2006

OpenBSD journal has published excellent PF Firewall Ruleset Optimization tutorial.

From the article:
“This is the first installment in a series of three articles about PF. I originally wrote them as chapters for a book, but then publication was cancelled. Luckily, the rights could be salvaged, and now you get to enjoy them as undeadly.org exclusives.”

Firewall Ruleset Optimization topics:

  • Goals
  • The significance of packet rate
  • When pf is the bottleneck
  • Filter statefully
  • The downside of stateful filtering
  • Ruleset evaluation
  • Ordering rulesets to maximize skip steps
  • Use tables for address lists
  • Use quick to abort ruleset evaluation when rules match
  • Anchors with conditional evaluation
  • Let pfctl do the work for you
  • Testing Your Firewall (read)
  • Firewall Management (upcoming)

Read more at OpenBSD journal

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Leave a Comment