RE: [fw-wiz] Rationale for BSD (I)PF rule order?
From: Stewart, John (johns_at_artesyncp.com)
To: firstname.lastname@example.org Date: Fri, 9 May 2003 11:30:16 -0500
> It would be more understandable to say "not pets allowed, except for
> goldfish and iguanas" than to say "Goldfish and iguanas are
> allowed in my
> apartment. No other pets are allowed". Eventhough the latter
> would sound
> more natural to a computer, it is human beings who will
> maintain the pet
> rules (or in this case, firewall rules).
Or, IMHO, even better than first or last fit is "best" fit. This is definitely the most "human" way of understanding firewall rules. You don't have to bother with which order they are in at all:
- No pets are not allowed
- Goldfish and iguanas are allowed
...are the two rules in the ruleset, in any order.
This is the way Raptor handles it, and when it looks for a rule match, it starts at the most specific. If a goldfish comes in, the goldfish/iguana rule matches. If a cat comes in, the general pet rule matches.
I don't like everything about Raptor, but the rule matching is definitely something I do. I'm not aware of any other products or open source projects which do anything similar, but perhaps some do.
firewall-wizards mailing list