Firewall Wizards mailing list archives
Re: Is the order of the rules entered in iptables important?
From: David Lang <david.lang () digitalinsight com>
Date: Mon, 5 Aug 2002 09:25:19 -0700 (PDT)
having worked with both types I think that the 'best fit' approach is easier if you have small rulesets, but the 'rule order' approach offers more precise control with a complicated ruleset. one thing that makes the 'best fit' approach work on raptor is that since it is a proxy based firewall you are not putting in two rules for each traffic type, only one so some of the more obvious reordering problems vanish. David Lang On 5 Aug 2002, Anton J Aylward, CISSP wrote:
Date: 05 Aug 2002 08:14:43 -0400 From: "Anton J Aylward, CISSP" <aja () si on ca> To: David Lang <david.lang () digitalinsight com> Cc: Christopher Hicks <chicks () chicks net>, firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Is the order of the rules entered in iptables important? You should also check Brent Chapman's papers and the O'Reilly book he co-authored with Elizabeth Zwicky. Brent found that some routers try to optimize their filter rules and do so in such a way that results in untoward effects. I don't know which volume will be available to you, but in mine its in a section: Choosing a filtering Packet Router It should apply rules in the order specified. See if the problems he describes with the optimizations would apply to you. On Sun, 2002-08-04 at 23:14, David Lang wrote:there are a few firewalls that apply rules in a 'best fit' strategy rather then in order. Raptor (now Symantec Enterprise Firewall) is one example that does this. there was a debate on the pros and cons of this a year or so ago. David Lang On Thu, 1 Aug 2002, Christopher Hicks wrote:On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:does the order in which rules are added for an iptables table matter?Yes. I'm not aware of many firewall ruleset system where the order doesn't matter.-- Anton J Aylward, CISSP | http://groups.yahoo.com/group/ITTMG-Canada System Integrity | http://www.isc2.org InfoSec Consulting | http://www.issa-intl.org Voice: (416) 497-0201 | http://www.issa-toronto.org mailto:aja () si on ca |
_______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? Anton J Aylward, CISSP (Aug 05)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
- <Possible follow-ups>
- Fw: Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Fw: Is the order of the rules entered in iptables important? rob . roberson (Aug 01)