Pf rule processing order and performance
-
Does anyone know if 'quick' mode is enabled by default in pf on pfsense? I am trying to figure out if the firewall does stop processing rules after the first match or if it uses the default of "last match wins", in which case the firewall linearly scans all rules and the last matching rule is the effective one.
From our production use over the last year, it looks like it's first-match wins but I want to confirm.
Thank you for your insight! -Fred
-
On all rule tabs except for Floating, the rule are quick (first matching). Floating rules can be made quick, but by default they are normal (last matching) rules. These rules are also put ahead of WAN and etc. They are designed for traffic shaping and perhaps other services.
-
just learned something thanks. I figured they were quick because every rule has worked even though sometimes there is a rule we have that comes after but the first has always been the match so I just wanted to check and confirm.
I sure would like to come up with a way of estimating traffic delays based on the amount of rules, hardware, etc. I know there are a lot of variables here but are you aware of any performance stats for systems with 5k-10k rules?
Thanks again -Fred