Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Mikael Olsson <mikael.olsson () clavister com>
Date: Fri, 09 May 2003 21:08:26 +0200
Holger Kipp wrote:
For me it is easier to create a treelike strukture of rules using head and group and going from coarse to fine grained rules. With linear rules (first match), ordering of rules is more important, and with 20+ rules you get problems with side effects (rule 20 is never evaluated because rule 8 will fire first.
Please.. I'm missing something. I feel I really must be missing something, because this is not making sense to me. Would someone _please_ tell me _how_ this differs from a last-match ruleset where rule 1 never does anything because rule 8 always overrides it? Except for the first-match ruleset reaching the same wrong conclusion faster, that is? The way I see it, ordering is precisely as important in both cases. And you could even optimize a last-match ruleset lookup by making it lookup backwards and stop as soon as a rule triggers. Granted, mixed-mode lookups (i.e. using the "quick" keyword in a few places) could potentially get you out of trouble caused by a badly structured ruleset. But mixing in too much of this, with a worst-case fustercluck of 50%/50% quick/non-quick, just strikes me as a disaster waiting to happen; especially so in a multiple-admin situation. -- Mikael Olsson, Clavister AB Storgatan 12, Box 393, SE-891 28 ÖRNSKÖLDSVIK, Sweden Phone: +46 (0)660 29 92 00 Mobile: +46 (0)70 26 222 05 Fax: +46 (0)660 122 50 WWW: http://www.clavister.com _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Rationale for BSD (I)PF rule order? Volker Tanger (May 08)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 08)
- <Possible follow-ups>
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)