RE: Rationale for BSD (I)PF rule order?

["Stewart, John" <johns () artesyncp com>]

Darren Reed wrote:
> but a firewall has to deal with at least 4 dimensional matching:
> source & destination IP addresses, source & destination port numbers.
> in 4 dimensions, "best match" is ill-defined.
>
> suppose you had 2 rules:
>  1.   from anywhere, to host x, with any service, pass
>  2.   from anywhere, to anywhere, with service y, drop.
>
> what do you do with traffic from somewhere to x with service y?
> which rule is a better match? I grant you that you could 
> impose some priorities on the fields to break such ties, but
> this only makes the situation more confusing.

True, this is the drawback of "best match". To be quite honest, I don't know offhand which rule would apply in this 
case. I'm sure there is a well-defined precedence order here. Of course, drop takes precedence over pass. However, 
whether the most specific service(s) or more specific host(s) is of higher precedence, I don't know.

However, in practice it doesn't come up (for my systems). I would submit that the second rule here is redundant. Drop 
is implied. I would never have built a ruleset which includes either of these two rules.

For rule 1, I would never configure a rule which allows "any" service. I only allow specific, known services. Would you 
want to implicity add more allowed ports to old rules simply because you added a new protocol definition to the 
firewall?

For rule 2, as I mentioned, it is redundant. Drop is implied.

In my experience, it is not very hard at all to build a ruleset for which there is no question of ambiguity. And 
because it is conceptually easier to understand, it's easier to sort out what the actual behaviour will be for a given 
packet. 

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards