Firewall Wizards mailing list archives
Re: Opinion: Worst interface ever.
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 5 Jul 2005 10:43:59 -0400 (EDT)
On Tue, 5 Jul 2005, Dave Piscitello wrote:
This is not correct. If you CHOOSE, the policy manager will order the ruleset for you. Manual mode is available in the details view. Right- click any policy and you can switch to manual mode and move policies in whatever order you wish
Well, I didn't choose- it was just doing it. Thanks though, I'll see if this helps in the "set up a rule and have it actually work" case- the major difference I could see in my original non-working PAT rule and the one that did work was one had port set to client and the other said it didn't care about the port- which to me seems equivalent.
evaluation order, there's no easy way that I can find to figure out what order something's going to be evaluated in.I don't understand this comment. The help page explains exactly how the policies are ordered, precedence actions, etc.
Help wasn't working for me, and the interface was having major issues on an idle Server 2003 system (menu bar was floating above the window it lived in.) Trying to figure out which rule was tripping the inbound traffic really didn't end up helping anyway (logs said permitted, firewall said ICMP port unreachable-) but I was frustrated by the lack of ability to figure out why the system was generating unreachables for PAT or NAT with a separate external address (I tried both) for one rule, but not for another.
"Fireware Policy Manager automatically sorts policies from the most detailed to the most general. Each time you add a policy, Policy Manager compares the new rule with all the rules in your configuration file. To set the precedence, Policy Manager uses these criteria: 1. Protocols set for the policy type 2. Traffic rules of the To field 3. Traffic rules of the From field 4. Firewall action 5. Schedule 6. Alphanumeric sequence based on policy type 7. Alphanumeric sequence based on policy name... <additional details not cut-pasted>When I suggested that they optimize the "deny all" default deny to the top of the sequence, because then it'd really scream - it took him a couple of seconds to laugh.This is the policy order I have on my kids' subnet;-)
Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Darren Reed (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Adam Jones (Jul 05)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 18)
- Re: Opinion: Worst interface ever. sin (Jul 21)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Firewall Log Analysis - Computer vs. Human Adrian Grigorof (Jul 06)
- Re: Firewall Log Analysis - Computer vs. Human Kevin (Jul 06)