Re: [fw-wiz] Is the order of the rules entered in iptables important?

From: Anton J Aylward, CISSP (aja@si.on.ca)
Date: 08/05/02 

From: "Anton J Aylward, CISSP" <aja@si.on.ca>
To: David Lang <david.lang@digitalinsight.com>
Date: Mon Aug  5 08:19:01 2002

You should also check Brent Chapman's papers and the O'Reilly book he
co-authored with Elizabeth Zwicky.

Brent found that some routers try to optimize their filter rules and do
so in such a way that results in untoward effects.

I don't know which volume will be available to you, but in mine its in a
section:

  Choosing a filtering Packet Router
        It should apply rules in the order specified.

See if the problems he describes with the optimizations would apply to
you.

On Sun, 2002-08-04 at 23:14, David Lang wrote:
> there are a few firewalls that apply rules in a 'best fit' strategy rather
> then in order. Raptor (now Symantec Enterprise Firewall) is one example
> that does this.
>
> there was a debate on the pros and cons of this a year or so ago.
>
> David Lang
>
> On Thu, 1 Aug 2002, Christopher Hicks wrote:
>
> > On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:
> > > does the order in which rules are added for an iptables table matter?
> >
> > Yes. I'm not aware of many firewall ruleset system where the order
> > doesn't matter. 

-- 
Anton J Aylward, CISSP	| http://groups.yahoo.com/group/ITTMG-Canada
System Integrity	| http://www.isc2.org
InfoSec Consulting 	| http://www.issa-intl.org
Voice: (416) 497-0201 	| http://www.issa-toronto.org
mailto:aja@si.on.ca	|
Loading