I guess the second one will be slightly better in average. There’s performance hit for every firewall rule checked and if packet doesn’t trigger any of them, then all of them have to be checked before packet is either implicitly accepted (packet passing through all rules in a chain is accepted) or explicitly dropped (by a rule further down the chain). The amount of work for checking certain rule varies and the rule in “alternative setup” will be slightly more expensive than each of rules in “first setup” … but only single rule is to be checked.
So generally, lower number of rules is better. Ordering natters as well in case where one of rules does trigger (it’s better to have rules triggering more often higher on the list).
In this particular case (chain=input) it probably won’t matter much as amount of traffic handled vy these rules will be low and any packet, “surviving” firewall rules, will hit obe of router’s services which will make many CPU cycles to process it.
In forward channel things are more sensitive though. That’s why the “accept established,related” rule is one of top most (it’ll likely handle 95+% of all packets) and that’s why fasttrack exists.
While reading your statement, I realized that I had not defined the basic assumptions of the research. So let’s assume that all incoming packets do not match the accept rules.
I also have my suspicions, but I don’t have any evidence and I really don’t know to check it. In virtually both cases, the router will do exactly the same thing. So yes, the main thing is whether one method is more efficient for the CPU than the other?
Consider this: firewall has to try to match every matching criteria of a rule before it can conclude whether to execute it or pass it (OK, it might stop matching if one criterium doesn’t match as all criteria has to match for rule to execute). And let’s say each simple matching costs the same (e.g. 1 something) while complex matching is more expensive … in the alternative rule it may have to match against 4 different dst-port numbers, so let’s say the cost is 4 somethings (I’d be disapointed if the cost is really that high, matching might be optimized, but I’m considering this estimate worst case).
So the cost of each of simple rules is 3 somethings (possibly much more as there’s matching against address list, plus there’s matching against protocol and against single dst-port). You have 4 such rules, so total cost for packets not matching any if them will be 12 somethings (possibly much more due to address-list).
The cost of single complex rule is around 6 somethings (matching against ptotocol, 4 matchings against dst-port and matching against address-list), possibly more (if matching against address-list proved more expensive) but the increase is not proportional to number of ports in the matching list.
So it’s 12 (plus 4x something) versus 6 (plus 1x something).
The only drawback of the “combined” rule is if one wants to change only one detail … e.g. if SSH server is migrated to another IP address, which means adding entirely new rule (vs. adjusting existing rule in case of multiple simple rules).
Thank you for your explanation. Generally, I think similarly, but this is just my speculation - I have not found evidence anywhere that this is actually the case - and how much it differs.