Re: Is the order of the rules entered in iptables important?

["Anton J Aylward, CISSP" <aja () si on ca>]

You should also check Brent Chapman's papers and the O'Reilly book he
co-authored with Elizabeth Zwicky.

Brent found that some routers try to optimize their filter rules and do
so in such a way that results in untoward effects.

I don't know which volume will be available to you, but in mine its in a
section:

  Choosing a filtering Packet Router
        It should apply rules in the order specified.


See if the problems he describes with the optimizations would apply to
you.

On Sun, 2002-08-04 at 23:14, David Lang wrote:
> there are a few firewalls that apply rules in a 'best fit' strategy rather
> then in order. Raptor (now Symantec Enterprise Firewall) is one example
> that does this.
>
> there was a debate on the pros and cons of this a year or so ago.
>
> David Lang
>
> On Thu, 1 Aug 2002, Christopher Hicks wrote:
>
> > On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:
> > > does the order in which rules are added for an iptables table matter?
> >
> > Yes.  I'm not aware of many firewall ruleset system where the order
> > doesn't matter.
-- 
Anton J Aylward, CISSP  | http://groups.yahoo.com/group/ITTMG-Canada
System Integrity        | http://www.isc2.org
InfoSec Consulting      | http://www.issa-intl.org
Voice: (416) 497-0201   | http://www.issa-toronto.org
mailto:aja () si on ca  |  
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards