I'm setting ipfw, and the following was suggested to me: If I make the rule only to drop SYN packets for TCP, no connection could be established and the firewall won't even have to look at other packets.
It seems counter intuitive for me. I think that firewall will perform better if I block all communication on the specified port (less packet inspection involved), and since no connection can be established either way, the number of incoming packets will be the same.
Is there really difference?
Edit: concrete problem, blocking SSH from somehost:
ipfw add deny tcp from somehost to any port 22 via em0 tcpflags syn
vs.
ipfw add deny tcp from somehost to any port 22 via em0
Best Answer
There is a purpose to dropping syn packets only, but it's not (primarily) performance; it's an easy way to create a default deny rule that'll apply to incoming connections, but not return packets for an outgoing connection. A rule like this:
(note that "setup" is shorthand for "tcpflags syn,!ack") will block all incoming TCP connections (that weren't allowed by a higher-priority rule).
There may actually be a performance argument for this, because the alternative -- using keep-state rules to allow return packets on outgoing connections -- involves dynamic rules (and creating, managing, and checking all packets against them), which presumably have some impact on performance.
Mind you, this is not relevant in the case of a rule blocking a specific low-numbered port (e.g. 22 in your example), because you can be pretty sure no port under 1024 will be allocated for an outgoing connection.