Firewall Wizards mailing list archives
Re: Opinion: Worst interface ever.
From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 5 Jul 2005 09:45:43 -0400 (EDT)
On Tue, 5 Jul 2005, Marcus J. Ranum wrote:
That's a chip-head thing, Paul. Remember - it's all about performance, not security. By re-ordering the ruleset the firewall can evaluate the rules in the fastest possible manner. I had this explained to me once by an engineer who builds ASIC firewalls for a living - he thought it was a very cool optimization.
I don't mind the optimization[1], I mind the fact that the UI won't tell me how the rules are optimized. I mind that I can't seem to find the logging software on the disk the UI came on, so I can't even see what the heck rule is making the box send out ICMP port unreachables. I mind that following the instructions doesn't produce the results I expect. If I ever have to audit one of these things, I'm charging extra.
When I suggested that they optimize the "deny all" default deny to the top of the sequence, because then it'd really scream - it took him a couple of seconds to laugh.
I bet! Paul [1] Caveat: I'd like to be able to override it in a perfect world. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions paul () compuwar net which may have no basis whatsoever in fact." _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Darren Reed (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Adam Jones (Jul 05)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)