Re: [fw-wiz] Rationale for BSD (I)PF rule order?

From: Darren Reed (
Date: 05/10/03

  • Next message: Gary Flynn: "Re: [fw-wiz] Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)"
    Date: Sat, 10 May 2003 15:10:25 +1000 (EST)

    In some email I received from Stewart, John, sie wrote:
    > > It would be more understandable to say "not pets allowed, except for
    > > goldfish and iguanas" than to say "Goldfish and iguanas are
    > > allowed in my
    > > apartment. No other pets are allowed". Eventhough the latter
    > > would sound
    > > more natural to a computer, it is human beings who will
    > > maintain the pet
    > > rules (or in this case, firewall rules).
    > Or, IMHO, even better than first or last fit is "best" fit. This is
    > definitely the most "human" way of understanding firewall rules. You
    > don't have to bother with which order they are in at all:
    > - No pets are not allowed
    > - Goldfish and iguanas are allowed
    > ....are the two rules in the ruleset, in any order.
    > This is the way Raptor handles it, and when it looks for a rule match,
    > it starts at the most specific. If a goldfish comes in, the goldfish/iguana
    > rule matches. If a cat comes in, the general pet rule matches.
    > I don't like everything about Raptor, but the rule matching is definitely
    > something I do. I'm not aware of any other products or open source
    > projects which do anything similar, but perhaps some do.

    My question to you is, how do you know their firewall works in this way
    and this isn't just a view given to you by the application interface to
    the back end?

    That aside, there are a few papers around on how to evaluate firewall rules
    better from a point of view that centers around on finding the best possible
    match for a given packet as early as possible. This is sort of aligned to
    what you're describing here.

    What this really comes down to is how you think of the "problem"
    (access control). This seems to be a fairly abstract concept where
    different people think of what they want in a different way. You
    appear to like the idea of "best match" whereas others might prefer
    explicit listing with a net at the top (default block) to stop everything
    but a few or to siphon off what you want to allow and have a bucket
    at the bottom to catch the rest. I'm not going to say that one way or
    another is the correct mode to think of this problem in, but what I will
    say is that "best match" rings alarms in my head. Why? Because when it
    comes to networking, the rule that "best matches" a packet could result
    in unexpected behaviour if the rule that is the "best match" is not as
    precise as it should be or it results in "extra details" being ignored.

    If, for example, your firewall has 4 networks going through it and the
    best match rule for a packet is "allow host a to talk to host b", then
    what does this allow for in the case of source routed packets? Oh,
    you might say "do not allow any source routed packets", but is that
    clearly a better match than "host A to host B" or do all of those kind
    of rules now have to have "host A to host B without source routing"?
    Now even if I had "no packets with source routing" in there, is that
    necessarily a better match than "host A to host B" ? I'm sure you might
    come up with "other" solutions but do they necessarily fit solely within
    the "best match" category or require "extra" action?

    firewall-wizards mailing list

  • Next message: Gary Flynn: "Re: [fw-wiz] Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)"

    Relevant Pages

    • RE: Strange replies on closed port
      ... port should be a RST - not dropping the packet. ... receiving an UDP datagram to a non 'listening' port. ... that message isn't generated by the end host, ... Connecting to a closed Port w/o Firewall: ...
    • Re: Strange ICMP packets
      ... >packets being blocked by my firewall. ... use port numbers - ICMP is not one of them. ... IP address is the remote (router or host), ... the system that sent the original packet that caused the problem. ...
    • Re: nmap scan results
      ... Filtered means that it did not receive any packet back from the ... scanned computer. ... Usually happens when their is no host or the host or firewall just ...
    • Re: Strange ICMP packets
      ... >>packets being blocked by my firewall. ... ICMP code follows the IP address". ... >IP address is the remote (router or host), ... >the system that sent the original packet that caused the problem. ...
    • Re: Host Computer with ICS cannot be accessed
      ... I have the Main (Host) computer with XP SP1 which is the ICS computer on a ... firewall settings, not that I've found so far, but I'll keep looking. ... >>connection, I can check or uncheck the firewall setting to allow others on ... Is there a way I can tell my Host server to allow the Client ...