Re: [fw-wiz] Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)
From: Mikael Olsson (mikael.olsson_at_clavister.com)
To: "Stewart, John" <email@example.com> Date: Sat, 10 May 2003 01:48:14 +0200
"Stewart, John" wrote:
> Or, IMHO, even better than first or last fit is "best" fit. This is
> definitely the most "human" way of understanding firewall rules.
> You don't have to bother with which order they are in at all:
I've never worked with this myself, but I've heard people say
"it works for small configs, but can do unexpected/unwanted things
for large ones".
What'd your thoughts on that be?
I'm thinking along the lines of
"do foo to 0.0.0.0/0 -> 10.0.0.2/32, port 80-81",
"do bar to 0.0.0.0/0 -> 10.0.0.2/31, port 80".
Which one is more specific? There's one IP and two ports
in the first one, and two IPs and one port in the other one.
(Or subtitute for various other IP and/or protocol/port
combinations for other interesting problems).
The reason I'm asking this is because it generally looks like a
cool and worthwhile idea, but one I'd like to know more about
before deciding whether I actually like it or not :)
-- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firstname.lastname@example.org http://honor.icsalabs.com/mailman/listinfo/firewall-wizards