Firewalls: RE: IP Filters?

Firewalls
(July 1997)

Indexed By Thread: [Previous] [Next]

Subject:	RE: IP Filters?
From:	Ken Hardy <ken @ bridge . com>
Date:	Thu, 3 Jul 1997 13:19:15 -0500 (CDT)
To:	montenegro @ nutec . com . br, Firewalls @ GreatCircle . COM, BSTACKPO @ sla . com
Cc:	firewalls @ GreatCircle . COM

"Stackpole, Bill" <BSTACKPO @
 sla .
 com> wrote:

>There are some techniques you can use to speed up access list
>processing.  Remember a Cisco list is exited on the first true so you
>can add lines like:
>
>	! TCP or UDP Ports above the last service you are permiting
>	!   this is done to speed up the list processing
>	access-list 101 deny   tcp any host 255.255.255.255 gt 80
>	access-list 101 deny   udp any host 255.255.255.255 gt 19
>
>just before all the specific rules to speed up list processing.

Seems to me that that would speed things up most *if* the most common
packets were those you're denying.  Hopefully people are not
continually banging on your router with prohibited traffic, and most of
the packets it needs to process are those that are specifically
allowed.  In such a case, wouldn't it make more sense to put the rules
that *allow* the most common traffic first?  Just guessing, but you ought
to be able to get 80%-90% or more of all packets to hit within the first
half-dozen or so rules.

--
KH

Indexed By Date	Previous:	Firewalls-Digest V6 #313 -Reply From: LARRY HUNKA <LHunka @ nicorinc . com>
Indexed By Date	Next:	Re: ICQ network From: DECkedout <DECkedout @ hotmail . com>
Indexed By Thread	Previous:	RE: IP Filters? From: "Stackpole, Bill" <BSTACKPO @ sla . com>
Indexed By Thread	Next:	Re: IP Filters? From: "Fernando da Silveira Montenegro" <montenegro @ nutec . com . br>