Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pf rule processing order and performance

    Scheduled Pinned Locked Moved Firewalling
    3 Posts 2 Posters 1.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • F
      FJSchrankJr
      last edited by

      Does anyone know if 'quick' mode is enabled by default in pf on pfsense? I am trying to figure out if the firewall does stop processing rules after the first match or if it uses the default of "last match wins", in which case the firewall linearly scans all rules and the last matching rule is the effective one.

      From our production use over the last year, it looks like it's first-match wins but I want to confirm.

      Thank you for your insight! -Fred

      FJS - Embedded Systems Engineer
      Pictures are worth a thousand words, but <u>posting config.xml backups are worth 10,000</u>.  Alter the IPs, change anything revealing but leave subnets intact. Use find and replace. Please try to keep it brief on the description.
      ALWAYS disable TSO  & LRO EXCEPT CHKSUM IF SUPPORTED. TSO/LRO breaks traffic, pf scrub and this goes for any passive device inline

      1 Reply Last reply Reply Quote 0
      • P
        podilarius
        last edited by

        On all rule tabs except for Floating, the rule are quick (first matching).  Floating rules can be made quick, but by default they are normal (last matching) rules. These rules are also put ahead of WAN and etc. They are designed for traffic shaping and perhaps other services.

        1 Reply Last reply Reply Quote 0
        • F
          FJSchrankJr
          last edited by

          just learned something thanks.  I figured they were quick because every rule has worked even though sometimes there is a rule we have that comes after but the first has always been the match so I just wanted to check and confirm.

          I sure would like to come up with a way of estimating traffic delays based on the amount of rules, hardware, etc. I know there are a lot of variables here but are you aware of any performance stats for systems with 5k-10k rules?

          Thanks again -Fred

          FJS - Embedded Systems Engineer
          Pictures are worth a thousand words, but <u>posting config.xml backups are worth 10,000</u>.  Alter the IPs, change anything revealing but leave subnets intact. Use find and replace. Please try to keep it brief on the description.
          ALWAYS disable TSO  & LRO EXCEPT CHKSUM IF SUPPORTED. TSO/LRO breaks traffic, pf scrub and this goes for any passive device inline

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.