Firewall Wizards mailing list archives
RE: Rationale for BSD (I)PF rule order?
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 12 May 2003 14:55:00 +0200
-----Original Message----- From: firewall-wizards-admin () honor icsalabs com [mailto:firewall-wizards-admin () honor icsalabs com] On Behalf Of Marcus J. Ranum Sent: Monday, 12 May 2003 3:34 AM To: Holger.Kipp () alogis com; barney () databus com; Bill () royds net Cc: mikael.olsson () clavister com; holger.kipp () alogis com; volker.tanger () discon de; firewall-wizards () honor icsalabs com Holger Kipp wrote:Assume you have 3000+ rules on 12 interfaces and want to addanother rule. If you have a 3000+ rule 12 interface firewall you may as well replace it with one of them newfangled "secure hubs" mjr.
Or indeed not bother. I grow more and more skeptical of these giant rulesets and single chokepoint solutions (actually of firewalls in general, but let's keep the faith...). I'm sure modern firewalls themselves perform well enough to handle them, but I haven't seen a corresponding Moore's Law for performance and clue-level of firewall admins. I also suspect a good dose of bad ruleset design - I have probably seen over well over hundred customer-written firewall rulesets of various kinds, and to date I have seen two (2) that couldn't have several of the rules removed and reordered with no security delta. Maybe I'll add a new principle when teaching my 'Dao of Good Security' - "if your security policy is complex then it isn't working". You do have a way of compressing intelligent insight into throwaway grumpy remarks, Marcus. ;) ben _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Rationale for BSD (I)PF rule order?, (continued)
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 11)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Gwendolynn ferch Elydyr (May 12)