Firewall Wizards mailing list archives
Re: [FW1] How many rules can exists in fw1 ?
From: Deepak Vaidya <dvaidya () clark net>
Date: Sun, 20 Sep 1998 08:00:21 -0400
I was under the impression that it looked at the properties first, that is where the rule 0 comes from and then the order of the rules. Anytime that I have used the fw-1 and tried to setup conflicting rules, the verify portion has always bombed. - Deepak Jennifer Galvin wrote:
That's how it was explained to me in class. Plus, if you have a rule that requires encryption between two hosts, and then later on it allows no encryption between two hosts, FW1 will then pick the rule with less security, even though it comes after the 1st rule.
Regards, Jennifer GalvinReally? I'd always thought that packets were compared from the rulebase until a match was found.. Try rule 0 first.. Nope does not match.. Try rule 1 next.. nope does not match.. Try rule 2 next.. nope does not match .. .. .. Try rule 25.. AHA.. we have a source AND dest AND service match.. is it allowed or not?-----Original Message----- From: Jennifer Galvin [SMTP:jgalvin () digex net] Sent: Saturday, September 19, 1998 3:21 PM To: > Øyvind Olsen Cc: fw-1-mailinglist () lists us checkpoint com Subject: Re: [FW1] How many rules can exists in fw1 ? Whenever you edit an existing rulebase, and insert a new rule, more Inspect code is generated by the gui for the new policy. So, 500 rules = lots of code for the inspection engine to crank through before it decides what to do with the traffic. Remember, FW1 is a best-fit firewall, not a first-fit, so it will preview all rules before it determines which one best matches the traffic going in or out. This means the amount of Inspect code is probably directly proportional to the overhead the firewall is going to experience each time it needs to analyze traffic. In short, make it concise, since more rules may slow down your firewall. Regards, Jennifer GalvinHi ! Have anyone experimented with, say 500 rules, and measured how the perfomance is affected ? I might set up a test myself, but thought I ask the Gurus first ... Regards, Oyvind Olsen
Current thread:
- RE: [FW1] How many rules can exists in fw1 ? Jennifer Galvin (Sep 19)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 22)
- Re: [FW1] How many rules can exists in fw1 ? Euan (Sep 21)
- <Possible follow-ups>
- Re: [FW1] How many rules can exists in fw1 ? Vern Paxson (Sep 20)
- Re: [FW1] How many rules can exists in fw1 ? DIGEX Grrrrrrrrrl (Sep 24)
- Re: [FW1] How many rules can exists in fw1 ? Deepak Vaidya (Sep 20)