Firewall Wizards mailing list archives

Re: Opinion: Worst interface ever.

From: "Marcus J. Ranum" <mjr () ranum com>
Date: Tue, 05 Jul 2005 09:25:48 -0400

Paul D. Robertson wrote:

The new Watchguard software "automatically" decides ruleset evaluation
order, and there's no easy way that I can find to figure out what order
something's going to be evaluated in.


That's a chip-head thing, Paul. Remember - it's all about performance,
not security. By re-ordering the ruleset the firewall can evaluate the
rules in the fastest possible manner. I had this explained to me once
by an engineer who builds ASIC firewalls for a living - he thought it was
a very cool optimization.

When I suggested that they optimize the "deny all" default deny to the
top of the sequence, because then it'd really scream - it took him a
couple of seconds to laugh.

mjr. 

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
  - Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
    - Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
    - Re: Opinion: Worst interface ever. Darren Reed (Jul 06)
    - Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
  - Re: Opinion: Worst interface ever. Adam Jones (Jul 05)
  - Re: Opinion: Worst interface ever. Dave Piscitello (Jul 05)
    - Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
  - Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
    - Re: Opinion: Worst interface ever. StefanDorn (Jul 05)

(Thread continues...)