Re: [fw-wiz] Rationale for BSD (I)PF rule order?

• Previous message: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• In reply to: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Next in thread: David Pick: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: Bill Royds <Bill@royds.net>
Date: Fri, 9 May 2003 22:35:24 -0400

On Fri, May 09, 2003 at 09:10:15PM -0400, Bill Royds wrote:
> Is it not better to have a ruleset firing on closest fit?. Decide on which
> rule to apply based on a nesting of address space (single hosts with subnets
> within domains within interfaces, exact ports within port ranges etc.) and
> match on protocol (UDP versus ICMP versus TCP etc.) Rules are made of tuples
> similar to sockets, except that there are other possible dimensions added
> (protocol, authenticated, un-authenticated, source interface, destination
> interface, time of day, phase of moon etc.). Order of rule firing based on
> textual order is always going to create problems.
> If the firewall can generate this tree implied by nesting, then rul elookup
> will be faster as well, since the maximum lookup is log(nesting factor) and
> it can still be done with hash table lookup.

Well of course hash won't work for anything that is a range or a subnet.

I am simply amazed at what people have been saying in this thread.
Unless the firewall hardware actually has a CAM, rule evaluation is
going to be sequential, whether in the order configured or not.
Therefore, I for one will never accept a scheme where I have to think
hard about what the ruleset will actually do. I want the simplest,
clearest relationship between what I see and what the firewall will do,
and that's sequential, first-match.

As Randy Bush would say, I invite my competitors to use other schemes.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

• Previous message: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• In reply to: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Next in thread: David Pick: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages Re: ftp problem ... > here is my whole firewall script ... > # No restrictions on Loopback Interface ... > # or from this gateway server destine for the public Internet. ... > # Allow out secure FTP, Telnet, and SCP ... (freebsd-questions) Re: Checkpoint experiences ... decide they want the firewall used by the big boys...often repeated, ... The Nokia appliance IPSO, is useful if you don't want to take the ... It is no wonder that the Nokia interface is called ... > billions on training, and classes, consultants, support contracts, etc. ... (comp.security.firewalls) Re: Lets talk about firewalls - what do we as a group think a firewall should be/have? ... part of the same network as the LAN. ... Each interface of a firewall should be distinct from ... interfaces, so a "DMZ interface" is not a requirement. ... (comp.security.firewalls) Proxy ARP and Routing ... some CPE from our ISP connected to a firewall. ... the public IPs on the physical DMZ network. ... packets to the host on the DMZ? ... on the DMZ interface. ... (SunManagers) RE: [fw-wiz] Dynamic routing on a firewall ... is on this interface", rather than having to work it out manually each time. ... Obviously, if the firewall is using dynamic routing, there would be no ... >> party is in their own DMZ. ... (Firewall-Wizards)