Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)

From: Mikael Olsson <mikael.olsson () clavister com>
Date: Sat, 10 May 2003 01:48:14 +0200

"Stewart, John" wrote:


Or, IMHO, even better than first or last fit is "best" fit. This is 
definitely the most "human" way of understanding firewall rules. 
You don't have to bother with which order they are in at all:


I've never worked with this myself, but I've heard people say
"it works for small configs, but can do unexpected/unwanted things 
 for large ones".

What'd your thoughts on that be?

I'm thinking along the lines of 
"do foo to 0.0.0.0/0 -> 10.0.0.2/32, port 80-81",
"do bar to 0.0.0.0/0 -> 10.0.0.2/31, port 80".

Which one is more specific? There's one IP and two ports
in the first one, and two IPs and one port in the other one.
(Or subtitute for various other IP and/or protocol/port
 combinations for other interesting problems).


The reason I'm asking this is because it generally looks like a 
cool and worthwhile idea, but one I'd like to know more about
before deciding whether I actually like it or not :)


-- 
Mikael Olsson, Clavister AB
Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden
Phone: +46 (0)660 29 92 00   Mobile: +46 (0)70 26 222 05
Fax: +46 (0)660 122 50       WWW: http://www.clavister.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: