Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rationale for BSD (I)PF rule order?

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Mon, 12 May 2003 12:56:00 -0400
Paul Robertson wrote:

Having lots of rules isn't necessarily a bad thing, if they don't change 
much over time. 


I don't agree. Many rules means that there is a complex policy with
many exceptions. That usually means that the security policy was
created by office politics and organizational leverage, not by good
security design. Which usually means that the firewall is there to
slow traffic down a little bit, and log stuff, but isn't doing much for
security.

If I were to guess, 90% of the firewalls I've seen in the last 10 years
fit into the category of "you've got to be fooling yourself!"

mjr.  
---
Marcus J. Ranum                         http://www.ranum.com
Computer and Communications Security    mjr () ranum com

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: