Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Holger Kipp <Holger.Kipp () alogis com>
Date: Sun, 11 May 2003 01:29:56 +0000
Barney Wolff (barney () databus com) wrote:
I am simply amazed at what people have been saying in this thread.
me too.
Unless the firewall hardware actually has a CAM, rule evaluation is going to be sequential, whether in the order configured or not. Therefore, I for one will never accept a scheme where I have to think hard about what the ruleset will actually do. I want the simplest, clearest relationship between what I see and what the firewall will do, and that's sequential, first-match.
I'd like to suggest that every sysadmin who creates rulesets (and wants to harden them) should in fact think hard about what the ruleset will actually do - no matter what firewall and rule-scheme (s)he is using. Assume you have 3000+ rules on 12 interfaces and want to add another rule. Where do you insert the new rule? You have to find the(*) rule A that is less specific(+) and would override your rule B and add the new rule B before that one. But if rule B is not a real subset of rule A? then it might affect other rules further down. Happy hunting ;-) (that about simplest and clearest) (*) might be several. (+) for sake of simplicity lets assume we know what 'less specific' means. I prefer a mixture of a) building a tree with appropriate rules which means I can control the flow of rule evaluation b) using "quick" where I think it is necessary and c) keep local and global complexity of the ruleset low. OK, that's what I like about ipf. If you dislike it, use something else ;-) Regards, Holger Kipp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rationale for BSD (I)PF rule order?, (continued)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)