Re: Rationale for BSD (I)PF rule order?

[Barney Wolff <barney () databus com>]

On Fri, May 09, 2003 at 09:10:15PM -0400, Bill Royds wrote:
> Is it not better to have a ruleset firing on closest fit?. Decide on which
> rule to apply based on a nesting of address space (single hosts with subnets
> within domains within interfaces, exact ports within port ranges etc.) and
> match on protocol (UDP versus ICMP versus TCP etc.) Rules are made of tuples
> similar to sockets, except that there are other possible dimensions added
> (protocol, authenticated, un-authenticated, source interface, destination
> interface, time of day, phase of moon etc.). Order of rule firing based on
> textual order is always going to create problems.
> If the firewall can generate this tree implied by nesting, then rul elookup
> will be faster as well, since the maximum lookup is log(nesting factor) and
> it can still be done with hash table lookup.

Well of course hash won't work for anything that is a range or a subnet.

I am simply amazed at what people have been saying in this thread.
Unless the firewall hardware actually has a CAM, rule evaluation is
going to be sequential, whether in the order configured or not.
Therefore, I for one will never accept a scheme where I have to think
hard about what the ruleset will actually do.  I want the simplest,
clearest relationship between what I see and what the firewall will do,
and that's sequential, first-match.

As Randy Bush would say, I invite my competitors to use other schemes.

-- 
Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards