Firewall Wizards mailing list archives
Precedence of rule terms
From: Neil Ratzlaff <Neil.Ratzlaff () ucop edu>
Date: Tue, 15 Jun 1999 15:43:03 -0700
Given this scenario (and think about expanding the list of hosts and services and more complex combinations of hosts and services): Hosts A, B, C Services X, Y, Z Two equivalent sets of permissions but defined in different ways Equal amounts of use for each service and host Group 1 1. Host A allows services X Y 2. Host B allows services Y Z 3. Host C allows services X Z Group 2 1. Hosts A C allow service X 2. Hosts A B allow service Y 3. Hosts B C allow service Z Which would be a faster rule match, Group 1 or Group 2? If FW checks first for DEST IP, then Group 1 should be faster. If FW checks first for Service, then Group 2 should be faster. If it checks all conditions for each rule, both would be the same, but that is very inefficient. In database queries, the order of terms is critical for optimization. As my rule set has grown, it has become fragmented (far from normalized in database lingo). I want to consolidate the rules, but I also want to reduce the load as much as possible, beyond the usual rule of most frequent rule matches first in the list. Anyone have any insight? Someone from Checkpoint must know how the actual rule checking is done. Any helpful comments appreciated. Neil
Current thread:
- Precedence of rule terms Neil Ratzlaff (Jun 15)