Your first suggestion would, in my case, work better by first matching
by IP. How much performance gain would I really achieve? Is there a
way to quantify the impact that a given number of rules would have? In other words, is the difference between 200 and 1000 rules dramatic?
Depends on the speed of CPU, number and speed of network devices, and ammount and type of traffic. Software router/firewall can cope quite well with multiple 100 MBps average office networks. On the other hand multiple heavily loaded gigabit interfaces can place really high load on software routers/firewalls. That is where Cisco comes into play with high-end hardware based routers. One way to tell is to monitor how much time is your CPU spends in idle state. Is it like 90 or 99%. Or is it closer to 10, 5 or 0%. In the later case, anything you can optimize will show up dramatically.
If you already implemented my second suggestion, than answer is probably not much. Since most of your packets are going to be matched/accepted by the time they reach your rule number 2. Apart that lag inserted by your firewall during connection establishing will be ~4-5 times shorter (these packets have to go through either 200 or 1000 rules, instead of just 2 rules that second and subsequent packets will go through).
-- Aleksandar Milivojevic <amilivojevic@xxxxxx> Pollard Banknote Limited Systems Administrator 1499 Buffalo Place Tel: (204) 474-2323 ext 276 Winnipeg, MB R3T 1L7