Re: [fw-wiz] Rationale for BSD (I)PF rule order?
From: Paul Robertson (proberts_at_patriot.net)
Date: 05/12/03
- Previous message: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- In reply to: Avishai Wool: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Next in thread: Holger Kipp: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: yash@acm.org Date: Sun, 11 May 2003 20:51:47 -0400 (EDT)
On Sat, 10 May 2003, Avishai Wool wrote:
> IMHO, it's worse than Darren wrote. "best match" comes to us
> from the routing world, where matching is almost always one-dimensional:
> a router cares (almost) only about the destination IP address.
> In one dimension, "best match" semantics are well defined.
Indeed, the router may care about "which route to use," which adds an
additional dimension. The key difference (IMO) is that routers try to get
the traffic to the destination via any valid working route, but firewalls
really are about limiting and blocking things, so "best match" isn't quite
the right cognitive tool for most situations compared to first match.
Look at it this way, if I have two routes to a destination IP address, and
I'm a router, I really don't care all that much which way things go, so
long as they get there[1].
> but a firewall has to deal with at least 4 dimensional matching:
> source & destination IP addresses, source & destination port numbers.
> in 4 dimensions, "best match" is ill-defined.
Firewalls don't *have* to deal with port numbers, so it's best to say "up
to" rather than "at least."
> FYI, Cisco PIX used "best match" semantics up to v4.4 on "outbound"
> rules, and that was horribly confusing IMHO. They switched to
> normal "first match" semantics with the access-list commands of
> v5.0.
Even when I ran IPF boxen in production, I "quick"'d all the rulesets so
that reading them was intuitive to anyone who didn't have IPF experience.
I can't imagine a 2am "Fix the ruleset to all or block $foo" phone call
with a back-up admin, or worse-yet operations folks without it.
Paul
[1] Yes, you can weight the routes, and I recall having to do so because
a 75xx router thought the 10Mb/s FNS circuit (never get one of those) was
better than a T-3 because the FNS circuit used a LAN interface and the T-3
was a WAN interface.
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts@patriot.net which may have no basis whatsoever in fact."
probertson@trusecure.com Director of Risk Assessment TruSecure Corporation
_______________________________________________
firewall-wizards mailing list
firewall-wizards@honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
- Previous message: Bill Royds: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- In reply to: Avishai Wool: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Next in thread: Holger Kipp: "Re: [fw-wiz] Rationale for BSD (I)PF rule order?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
