Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

RE: Rationale for BSD (I)PF rule order?

From: "Stewart, John" <johns () artesyncp com>
Date: Fri, 9 May 2003 11:30:16 -0500


It would be more understandable to say "not pets allowed, except for
goldfish and iguanas" than to say "Goldfish and iguanas are 
allowed in my
apartment. No other pets are allowed". Eventhough the latter 
would sound
more natural to a computer, it is human beings who will 
maintain the pet
rules (or in this case, firewall rules). 


Or, IMHO, even better than first or last fit is "best" fit. This is definitely the most "human" way of understanding 
firewall rules. You don't have to bother with which order they are in at all:

- No pets are not allowed
- Goldfish and iguanas are allowed

...are the two rules in the ruleset, in any order.

This is the way Raptor handles it, and when it looks for a rule match, it starts at the most specific. If a goldfish 
comes in, the goldfish/iguana rule matches. If a cat comes in, the general pet rule matches.

I don't like everything about Raptor, but the rule matching is definitely something I do. I'm not aware of any other 
products or open source projects which do anything similar, but perhaps some do.

johnS
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: