Firewall Wizards mailing list archives

Re: Rationale for BSD (I)PF rule order?

From: Holger Kipp <Holger.Kipp () alogis com>
Date: Sun, 11 May 2003 00:58:18 +0000

Mikael Olsson (mikael.olsson () clavister com) wrote:

Holger Kipp wrote:

For me it is easier to create a treelike strukture of rules using head and
group and going from coarse to fine grained rules. With linear rules (first
match), ordering of rules is more important, and with 20+ rules you get
problems with side effects (rule 20 is never evaluated because rule 8 will
fire first.


Please.. I'm missing something. I feel I really must be missing
something, because this is not making sense to me.


I was refering to the possibility of grouping rules using "head" and
"group" (this is with Daren Reeds ipf). "man 5 ipf" might help ;-)

In principle you can do everything with first match rules, but if you
have to change rules, you have to look at all the other rules to be
sure they are not affected, so you don't need to rearange them. Using
head and group helps keeping affected rulesets small.

'quick' is equal to 'first match'. Without it, one can define the
desired behaviour, but redefine it again later, if needed.

Would someone _please_ tell me _how_ this differs from a last-match
ruleset where rule 1 never does anything because rule 8 always
overrides it?  Except for the first-match ruleset reaching the
same wrong conclusion faster, that is?


If you don't use quick, then it is a last-match-ruleset.

Granted, mixed-mode lookups (i.e. using the "quick" keyword in a few
places) could potentially get you out of trouble caused by a badly
structured ruleset.  But mixing in too much of this, with a worst-case
fustercluck of 50%/50% quick/non-quick, just strikes me as a disaster
waiting to happen; especially so in a multiple-admin situation.


Having to change rules every few days is a tedious task with a linear
list of first match-rules. I bet you'll end up with a badly structured
ruleset very fast 8-P. I have experienced exactly that with a simple
training ruleset for a Checkpoint Firewall 1.
  Anyway, I think you were missing the possibilities "head" and "group"
offer.

just my 2 cents (Euro)

Regards,
Holger Kipp
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

Current thread:

Re: Rationale for BSD (I)PF rule order?, (continued)
- - - Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
    - Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 11)
  - Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
  - Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
    - RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
    - RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
    - RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
    - RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
    - RE: Rationale for BSD (I)PF rule order? Gwendolynn ferch Elydyr (May 12)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 12)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 12)