Re: [fw-wiz] Rationale for BSD (I)PF rule order?
From: Holger Kipp (Holger.Kipp_at_alogis.com)
To: firstname.lastname@example.org, email@example.com Date: Sun, 11 May 2003 00:58:18 +0000
Mikael Olsson (firstname.lastname@example.org) wrote:
>Holger Kipp wrote:
>> For me it is easier to create a treelike strukture of rules using head and
>> group and going from coarse to fine grained rules. With linear rules (first
>> match), ordering of rules is more important, and with 20+ rules you get
>> problems with side effects (rule 20 is never evaluated because rule 8 will
>> fire first.
>Please.. I'm missing something. I feel I really must be missing
>something, because this is not making sense to me.
I was refering to the possibility of grouping rules using "head" and
"group" (this is with Daren Reeds ipf). "man 5 ipf" might help ;-)
In principle you can do everything with first match rules, but if you
have to change rules, you have to look at all the other rules to be
sure they are not affected, so you don't need to rearange them. Using
head and group helps keeping affected rulesets small.
'quick' is equal to 'first match'. Without it, one can define the
desired behaviour, but redefine it again later, if needed.
>Would someone _please_ tell me _how_ this differs from a last-match
>ruleset where rule 1 never does anything because rule 8 always
>overrides it? Except for the first-match ruleset reaching the
>same wrong conclusion faster, that is?
If you don't use quick, then it is a last-match-ruleset.
>Granted, mixed-mode lookups (i.e. using the "quick" keyword in a few
>places) could potentially get you out of trouble caused by a badly
>structured ruleset. But mixing in too much of this, with a worst-case
>fustercluck of 50%/50% quick/non-quick, just strikes me as a disaster
>waiting to happen; especially so in a multiple-admin situation.
Having to change rules every few days is a tedious task with a linear
list of first match-rules. I bet you'll end up with a badly structured
ruleset very fast 8-P. I have experienced exactly that with a simple
training ruleset for a Checkpoint Firewall 1.
Anyway, I think you were missing the possibilities "head" and "group"
just my 2 cents (Euro)
firewall-wizards mailing list