RE: Rationale for BSD (I)PF rule order?

[Gwendolynn ferch Elydyr <gwen () reptiles org>]

On Mon, 12 May 2003, Ben Nagy wrote:
> Maybe I'll add a new principle when teaching my 'Dao of Good Security' - "if
> your security policy is complex then it isn't working".

Somehow I'm left with the phrase:

        "Any sufficiently complex ruleset is indistinguishable from magic"

Then again, I'm firmly of the belief that code or configs that have
sections in them with comments like "Magic happens here" are generally
dangerous. It may be true that the person who originally wrote such
cleverness continues to know and understand what they did - but it's
much more common for them (and everyone else) to forget what (and why)
was done
cheers!.
==========================================================================
"A cat spends her life conflicted between a deep, passionate and profound
desire for fish and an equally deep, passionate and profound desire to
avoid getting wet.  This is the defining metaphor of my life right now."

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards