Re: [fw-wiz] Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)

From: Gary Flynn (flynngn_at_jmu.edu)
Date: 05/10/03

  • Next message: Luca Berra: "Re: [fw-wiz] Win 2003 and PiX"
    Date: Sat, 10 May 2003 04:41:14 -0400
    

    Mikael Olsson wrote:

    >"Stewart, John" wrote:
    >
    >
    >>Or, IMHO, even better than first or last fit is "best" fit. This is
    >>definitely the most "human" way of understanding firewall rules.
    >>You don't have to bother with which order they are in at all:
    >>
    >>
    >
    >I've never worked with this myself, but I've heard people say
    >"it works for small configs, but can do unexpected/unwanted things
    > for large ones".
    >
    >What'd your thoughts on that be?
    >
    >I'm thinking along the lines of
    >"do foo to 0.0.0.0/0 -> 10.0.0.2/32, port 80-81",
    >"do bar to 0.0.0.0/0 -> 10.0.0.2/31, port 80".
    >
    >Which one is more specific? There's one IP and two ports
    >in the first one, and two IPs and one port in the other one.
    >(Or subtitute for various other IP and/or protocol/port
    > combinations for other interesting problems).
    >

    Precisely. "Best" is in the eyes of the algorithm and it would seem to
    add more
    complexity and uncertainty.. I don't want any type of assumptions on the
    part
    of the firewall. I want it fully deterministic and to do exactly what I
    say and nothing
    more. It should not make assumptions for me on "what is best". Next
    we'll have a
    little paper clip fellow running around the GUI making suggestions. :)

    _______________________________________________
    firewall-wizards mailing list
    firewall-wizards@honor.icsalabs.com
    http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


  • Next message: Luca Berra: "Re: [fw-wiz] Win 2003 and PiX"