![]() ![]() ![]() As the result, the overall firewall operation will consume less CPU time.Īs we know, no rules behind the explicit rejection all rule will be processed. Therefore, the packet will be either passed or rejected with significantly fewer checks. The latest rule in this sub-list will be the one that rejects this kind of traffic. In case the package matches with any of the main rules, we will make the jump to a new shorter list that applies only to it. Rather than processing the full list, that can contains a few hundred rules, it will compare it with a shorter list of the main rules. These chains allow us to shorten the main processing list. Although this percentage will be relatively small, maybe 10-15% of the CPU time, any saving allows us to do some other tasks. The latest rule, that will eventually reject the packet, is the final else in these loops.Įvery processing of long list unnecessarily will waste CPU time on the router. The packet processing is actually a series of the if… then… loops. It will begin to compare it with the first, second, third rule in the list. The firewall will take a new packet that arrives in one of the network ports. However, each netwrok packet must be respectively compared with each rule in the list until it finds appropriate. Mikrotik routers can have a long list, still to operate without problems. At one point, we may have a list with several hundred rules. We make a list of rules that allow or block specific traffic. In relation to this, we have the three predefined chains that handle the entire network traffic. Every network packet that firewall handles can be input, output or forwarded.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |