Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Barney Wolff <barney () databus com>
Date: Fri, 9 May 2003 22:35:24 -0400
On Fri, May 09, 2003 at 09:10:15PM -0400, Bill Royds wrote:
Is it not better to have a ruleset firing on closest fit?. Decide on which rule to apply based on a nesting of address space (single hosts with subnets within domains within interfaces, exact ports within port ranges etc.) and match on protocol (UDP versus ICMP versus TCP etc.) Rules are made of tuples similar to sockets, except that there are other possible dimensions added (protocol, authenticated, un-authenticated, source interface, destination interface, time of day, phase of moon etc.). Order of rule firing based on textual order is always going to create problems. If the firewall can generate this tree implied by nesting, then rul elookup will be faster as well, since the maximum lookup is log(nesting factor) and it can still be done with hash table lookup.
Well of course hash won't work for anything that is a range or a subnet. I am simply amazed at what people have been saying in this thread. Unless the firewall hardware actually has a CAM, rule evaluation is going to be sequential, whether in the order configured or not. Therefore, I for one will never accept a scheme where I have to think hard about what the ruleset will actually do. I want the simplest, clearest relationship between what I see and what the firewall will do, and that's sequential, first-match. As Randy Bush would say, I invite my competitors to use other schemes. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rationale for BSD (I)PF rule order? Volker Tanger (May 08)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- <Possible follow-ups>
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)