Re: [fw-wiz] Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)
From: Gary Flynn (flynngn_at_jmu.edu)
Date: Sat, 10 May 2003 04:41:14 -0400
Mikael Olsson wrote:
>"Stewart, John" wrote:
>>Or, IMHO, even better than first or last fit is "best" fit. This is
>>definitely the most "human" way of understanding firewall rules.
>>You don't have to bother with which order they are in at all:
>I've never worked with this myself, but I've heard people say
>"it works for small configs, but can do unexpected/unwanted things
> for large ones".
>What'd your thoughts on that be?
>I'm thinking along the lines of
>"do foo to 0.0.0.0/0 -> 10.0.0.2/32, port 80-81",
>"do bar to 0.0.0.0/0 -> 10.0.0.2/31, port 80".
>Which one is more specific? There's one IP and two ports
>in the first one, and two IPs and one port in the other one.
>(Or subtitute for various other IP and/or protocol/port
> combinations for other interesting problems).
Precisely. "Best" is in the eyes of the algorithm and it would seem to
complexity and uncertainty.. I don't want any type of assumptions on the
of the firewall. I want it fully deterministic and to do exactly what I
say and nothing
more. It should not make assumptions for me on "what is best". Next
we'll have a
little paper clip fellow running around the GUI making suggestions. :)
firewall-wizards mailing list