RE: Rationale for BSD (I)PF rule order?

["Ben Nagy" <ben () iagu net>]

> -----Original Message-----
> From: firewall-wizards-admin () honor icsalabs com 
> [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf 
> Of Marcus J. Ranum
> Sent: Monday, 12 May 2003 3:34 AM
> To: Holger.Kipp () alogis com; barney () databus com; Bill () royds net
> Cc: mikael.olsson () clavister com; holger.kipp () alogis com; 
> volker.tanger () discon de; firewall-wizards () honor icsalabs com
>
> Holger Kipp wrote:
> > Assume you have 3000+ rules on 12 interfaces and want to add 
> another rule.
>
> If you have a 3000+ rule 12 interface firewall you may as 
> well replace it with one of them newfangled "secure hubs"
>
> mjr. 

Or indeed not bother. I grow more and more skeptical of these giant rulesets
and single chokepoint solutions (actually of firewalls in general, but let's
keep the faith...). I'm sure modern firewalls themselves perform well enough
to handle them, but I haven't seen a corresponding Moore's Law for
performance and clue-level of firewall admins. I also suspect a good dose of
bad ruleset design - I have probably seen over well over hundred
customer-written firewall rulesets of various kinds, and to date I have seen
two (2) that couldn't have several of the rules removed and reordered with
no security delta.

Maybe I'll add a new principle when teaching my 'Dao of Good Security' - "if
your security policy is complex then it isn't working".

You do have a way of compressing intelligent insight into throwaway grumpy
remarks, Marcus. ;)

ben

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards