Firewall Wizards mailing list archives
Re: Opinion: Worst interface ever.
From: Adam Jones <ajones1 () gmail com>
Date: Tue, 5 Jul 2005 08:54:40 -0500
On 7/5/05, Marcus J. Ranum <mjr () ranum com> wrote:
Paul D. Robertson wrote:The new Watchguard software "automatically" decides ruleset evaluation order, and there's no easy way that I can find to figure out what order something's going to be evaluated in.That's a chip-head thing, Paul. Remember - it's all about performance, not security. By re-ordering the ruleset the firewall can evaluate the rules in the fastest possible manner. I had this explained to me once by an engineer who builds ASIC firewalls for a living - he thought it was a very cool optimization. When I suggested that they optimize the "deny all" default deny to the top of the sequence, because then it'd really scream - it took him a couple of seconds to laugh. mjr.
Although I understand why the auto-optimization would be important, shouldn't it be intuitive to look up what the rule order is? Maybe this is inexperience talking but I cannot see optimizing the rule order on a by-packet or by-host basis. At that point you are left to either larger subsets of the internet, or a general rule order. Either way it seems rediculous to not provide an easy to use means of at least looking up the current rule order.It sounds like the original poster at least knows his way around firewall software, which should be enough to rule out user error in any halfway decent design. I would say that you should at least discuss your problems with the software and see if your client wants to return it. Having your firewall expert spend ~45 minutes poking through the interface to accomplish basic tasks sounds like the beginnings of a downtime nightmare to me. If it took that long just to get a reasonably standard configuration going how long will it take to troubleshoot a complex problem? _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. Darren Reed (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 06)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Adam Jones (Jul 05)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. Marcus J. Ranum (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- Re: Opinion: Worst interface ever. StefanDorn (Jul 05)
- Re: Opinion: Worst interface ever. Jan Tietze (Jul 06)
- Re: Opinion: Worst interface ever. Dave Piscitello (Jul 18)
- Re: Opinion: Worst interface ever. sin (Jul 21)
- Re: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)
- RE: Opinion: Worst interface ever. Paul D. Robertson (Jul 05)