RE: [fw-wiz] Rationale for BSD (I)PF rule order?

From: Stewart, John (johns_at_artesyncp.com)
Date: 05/09/03

  • Next message: Gonzalo A. Cisternas M.: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #961 - 8 msgs"
    To: firewall-wizards@honor.icsalabs.com
    Date: Fri, 9 May 2003 11:30:16 -0500
    

    > It would be more understandable to say "not pets allowed, except for
    > goldfish and iguanas" than to say "Goldfish and iguanas are
    > allowed in my
    > apartment. No other pets are allowed". Eventhough the latter
    > would sound
    > more natural to a computer, it is human beings who will
    > maintain the pet
    > rules (or in this case, firewall rules).

    Or, IMHO, even better than first or last fit is "best" fit. This is definitely the most "human" way of understanding firewall rules. You don't have to bother with which order they are in at all:

    - No pets are not allowed
    - Goldfish and iguanas are allowed

    ...are the two rules in the ruleset, in any order.

    This is the way Raptor handles it, and when it looks for a rule match, it starts at the most specific. If a goldfish comes in, the goldfish/iguana rule matches. If a cat comes in, the general pet rule matches.

    I don't like everything about Raptor, but the rule matching is definitely something I do. I'm not aware of any other products or open source projects which do anything similar, but perhaps some do.

    johnS
    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Gonzalo A. Cisternas M.: "[fw-wiz] Re: firewall-wizards digest, Vol 1 #961 - 8 msgs"