Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Holger Kipp <Holger.Kipp () alogis com>
Date: Sun, 11 May 2003 00:58:18 +0000
Mikael Olsson (mikael.olsson () clavister com) wrote:
Holger Kipp wrote:For me it is easier to create a treelike strukture of rules using head and group and going from coarse to fine grained rules. With linear rules (first match), ordering of rules is more important, and with 20+ rules you get problems with side effects (rule 20 is never evaluated because rule 8 will fire first.Please.. I'm missing something. I feel I really must be missing something, because this is not making sense to me.
I was refering to the possibility of grouping rules using "head" and "group" (this is with Daren Reeds ipf). "man 5 ipf" might help ;-) In principle you can do everything with first match rules, but if you have to change rules, you have to look at all the other rules to be sure they are not affected, so you don't need to rearange them. Using head and group helps keeping affected rulesets small. 'quick' is equal to 'first match'. Without it, one can define the desired behaviour, but redefine it again later, if needed.
Would someone _please_ tell me _how_ this differs from a last-match ruleset where rule 1 never does anything because rule 8 always overrides it? Except for the first-match ruleset reaching the same wrong conclusion faster, that is?
If you don't use quick, then it is a last-match-ruleset.
Granted, mixed-mode lookups (i.e. using the "quick" keyword in a few places) could potentially get you out of trouble caused by a badly structured ruleset. But mixing in too much of this, with a worst-case fustercluck of 50%/50% quick/non-quick, just strikes me as a disaster waiting to happen; especially so in a multiple-admin situation.
Having to change rules every few days is a tedious task with a linear list of first match-rules. I bet you'll end up with a badly structured ruleset very fast 8-P. I have experienced exactly that with a simple training ruleset for a Checkpoint Firewall 1. Anyway, I think you were missing the possibilities "head" and "group" offer. just my 2 cents (Euro) Regards, Holger Kipp _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rationale for BSD (I)PF rule order?, (continued)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 11)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Gwendolynn ferch Elydyr (May 12)