Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Paul Robertson <proberts () patriot net>
Date: Sun, 11 May 2003 20:51:47 -0400 (EDT)
On Sat, 10 May 2003, Avishai Wool wrote:
IMHO, it's worse than Darren wrote. "best match" comes to us from the routing world, where matching is almost always one-dimensional: a router cares (almost) only about the destination IP address. In one dimension, "best match" semantics are well defined.
Indeed, the router may care about "which route to use," which adds an additional dimension. The key difference (IMO) is that routers try to get the traffic to the destination via any valid working route, but firewalls really are about limiting and blocking things, so "best match" isn't quite the right cognitive tool for most situations compared to first match. Look at it this way, if I have two routes to a destination IP address, and I'm a router, I really don't care all that much which way things go, so long as they get there[1].
but a firewall has to deal with at least 4 dimensional matching: source & destination IP addresses, source & destination port numbers. in 4 dimensions, "best match" is ill-defined.
Firewalls don't *have* to deal with port numbers, so it's best to say "up to" rather than "at least."
FYI, Cisco PIX used "best match" semantics up to v4.4 on "outbound" rules, and that was horribly confusing IMHO. They switched to normal "first match" semantics with the access-list commands of v5.0.
Even when I ran IPF boxen in production, I "quick"'d all the rulesets so that reading them was intuitive to anyone who didn't have IPF experience. I can't imagine a 2am "Fix the ruleset to all or block $foo" phone call with a back-up admin, or worse-yet operations folks without it. Paul [1] Yes, you can weight the routes, and I recall having to do so because a 75xx router thought the 10Mb/s FNS circuit (never get one of those) was better than a T-3 because the FNS circuit used a LAN interface and the T-3 was a WAN interface. ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rationale for BSD (I)PF rule order?, (continued)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)