Re: Rationale for BSD (I)PF rule order?

[Holger Kipp <Holger.Kipp () alogis com>]

Barney Wolff (barney () databus com) wrote: 

> I am simply amazed at what people have been saying in this thread.

me too.

> Unless the firewall hardware actually has a CAM, rule evaluation is
> going to be sequential, whether in the order configured or not.
> Therefore, I for one will never accept a scheme where I have to think
> hard about what the ruleset will actually do.  I want the simplest,
> clearest relationship between what I see and what the firewall will do,
> and that's sequential, first-match.

I'd like to suggest that every sysadmin who creates rulesets (and wants to
harden them) should in fact think hard about what the ruleset will actually
do - no matter what firewall and rule-scheme (s)he is using.

Assume you have 3000+ rules on 12 interfaces and want to add another rule.
Where do you insert the new rule? You have to find the(*) rule A that is
less specific(+) and would override your rule B and add the new rule B before
that one. But if rule B is not a real subset of rule A? then it might affect
other rules further down. Happy hunting ;-) (that about simplest and clearest)
(*) might be several.
(+) for sake of simplicity lets assume we know what 'less specific' means.

I prefer a mixture of a) building a tree with appropriate rules which
means I can control the flow of rule evaluation b) using "quick"
where I think it is necessary and c) keep local and global complexity of
the ruleset low. 

OK, that's what I like about ipf. If you dislike it, use something else ;-)

Regards,
Holger Kipp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards