Re: [FW1] How many rules can exists in fw1 ?

[DIGEX Grrrrrrrrrl <jgalvin () schultz cs loyola edu>]

Well, yes.  I would like to know why.


> It was you who mentioned it in the first place!  If there is an encryption
> rule between two hosts, and then a rule later on that allows traffic
> between the two _without_ encryption, the second rule is used rather than
> the first - hence an exception to 'first fit'!
>
> > What do you mean exeption?  How and why does the stateful inspection
> > module treat them differently?
> >
> > Well, in any case, that would explain it.... 
> >
> > Regards,
> > Jennifer Galvin
> >
> > > Nope, not in the case of encryption rules, which are an exception to the
> > > 'first fit' model.
> > >
> > > > I was under the impression that it looked at the properties first, that
> > > > is where the rule 0 comes from and then the order of the rules.  Anytime
> > > > that I have used the fw-1 and tried to setup conflicting rules, the
> > > > verify portion has always bombed.
> > > >
> > > > - Deepak
> > > >
> > > > Jennifer Galvin wrote:
> > > > > That's how it was explained to me in class.  Plus, if you have a rule
> that
> > > > > requires encryption between two hosts, and then later on it allows no
> > > > > encryption between two hosts, FW1 will then pick the rule with less
> > > > > security, even though it comes after the 1st rule.