Re: [Shorewall-users] Is there value in most effiecient rules?

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

Tom Eastep wrote:
> Tom Eastep wrote:
>   
>> Robert Moskowitz wrote:
>>     
>>> I have 2 interfaces:  Pub and VoIP
>>>
>>> I need to allow port 80 into VoIP (FreePBX functions), and 80 out (yum 
>>> updates), so I have the rules:
>>>
>>> ACCEPT    Pub    VoIP    tcp    80
>>> ACCEPT    VoIP    Pub    tcp    80
>>> ACCEPT    fw    Pub    tcp    80
>>>
>>>
>>> Seems this can be expressed in one rule:
>>>
>>> ACCEPT    all    all-    tcp    80
>>>
>>>
>>> Is the one rule 'faster' than the three?
>>>       
>> No -- Shorewall expands the one rule into three.
>>
>>     
>
> Actually, it expands into 4 rules:
>
> 	Pub->Voip
> 	Voip->Pub
> 	fw->Voip
> 	fw->Pub
And thus another exercise in the danger of too general of a rule.

The fw->VoIP does not hurt; in this case.  But we see the point....

So now I will go over my general rules.

Where I need bi-directional session initiation, I have used the form:

ACCEPT  all-    all-    {tcp|udp}     <port list>

this does seem to only expand to the rules:

ACCEPT  Pub    VoIP    {tcp|udp}     <port list>
ACCEPT  VoIP    Pub    {tcp|udp}     <port list>

.....