Firewall Wizards mailing list archives
RE: Rationale for BSD (I)PF rule order?
From: Smith Gary-GSMITH1 <Gary.R.Smith () motorola com>
Date: Thu, 8 May 2003 14:59:01 -0500
Hi all, On on hand we have IPF that uses a "last match wins" and on the other Netfilter/IPtables (Linux) that uses first match wins. The proponents of first match wins say that it is more efficient, because not every rule has to be processed. Ultimately, the generation of the rulesets has to be done by a human and humans have to read the rulesets to figure out why there are (or are not) working. Consider this analogy of Tome Yates in "Building Linux and OpenBSD Firewalls": Say we want to selectively allow some pets into our apartment, instead of selectively allow certain packets into our firewall. If we want to prohibit most pets, but we find that goldfish and iguanas are bearable. It would be more understandable to say "not pets allowed, except for goldfish and iguanas" than to say "Goldfish and iguanas are allowed in my apartment. No other pets are allowed". Eventhough the latter would sound more natural to a computer, it is human beings who will maintain the pet rules (or in this case, firewall rules). Even with last match counts scheme of IP Filter, you can still force to stop rule processing at a certain matching rule by specifying the "quick" key word in the rule. Cheers, Gary -----Original Message----- From: Barney Wolff [mailto:barney () databus com] Sent: Thursday, May 08, 2003 12:38 PM To: Volker Tanger Cc: firewall-wizards () honor icsalabs com Subject: Re: [fw-wiz] Rationale for BSD (I)PF rule order? On Thu, May 08, 2003 at 02:59:39PM +0200, Volker Tanger wrote:
I was not able to find a rationale for the BSD type of packet filter application. Where most FW/ACL implementations follow "first match", BSD usually takes "last match" (if you don't use the "quick" method). Is there a reason why that was decided this way? Especially as I currently cannot see advantages for this behaviour, only performance disadvantages. Can someone enlighten me here?
I can't supply a rationale for last-match, but note that ipfw is first match, not last. -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rationale for BSD (I)PF rule order? Volker Tanger (May 08)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- <Possible follow-ups>
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)