Re: Rationale for BSD (I)PF rule order?

[Darren Reed <darrenr () reed wattle id au>]

In some email I received from Stewart, John, sie wrote:
> > It would be more understandable to say "not pets allowed, except for
> > goldfish and iguanas" than to say "Goldfish and iguanas are 
> > allowed in my
> > apartment. No other pets are allowed". Eventhough the latter 
> > would sound
> > more natural to a computer, it is human beings who will 
> > maintain the pet
> > rules (or in this case, firewall rules). 
>
> Or, IMHO, even better than first or last fit is "best" fit. This is
> definitely the most "human" way of understanding firewall rules. You
> don't have to bother with which order they are in at all:
>
> - No pets are not allowed
> - Goldfish and iguanas are allowed
>
> ....are the two rules in the ruleset, in any order.
>
> This is the way Raptor handles it, and when it looks for a rule match,
> it starts at the most specific. If a goldfish comes in, the goldfish/iguana
> rule matches. If a cat comes in, the general pet rule matches.
>
> I don't like everything about Raptor, but the rule matching is definitely
> something I do. I'm not aware of any other products or open source
> projects which do anything similar, but perhaps some do.

My question to you is, how do you know their firewall works in this way
and this isn't just a view given to you by the application interface to
the back end?

That aside, there are a few papers around on how to evaluate firewall rules
better from a point of view that centers around on finding the best possible
match for a given packet as early as possible.  This is sort of aligned to
what you're describing here.

What this really comes down to is how you think of the "problem"
(access control).  This seems to be a fairly abstract concept where
different people think of what they want in a different way.  You
appear to like the idea of "best match" whereas others might prefer
explicit listing with a net at the top (default block) to stop everything
but a few or to siphon off what you want to allow and have a bucket
at the bottom to catch the rest.  I'm not going to say that one way or
another is the correct mode to think of this problem in, but what I will
say is that "best match" rings alarms in my head.  Why?  Because when it
comes to networking, the rule that "best matches" a packet could result
in unexpected behaviour if the rule that is the "best match" is not as
precise as it should be or it results in "extra details" being ignored.

If, for example, your firewall has 4 networks going through it and the
best match rule for a packet is "allow host a to talk to host b", then
what does this allow for in the case of source routed packets?  Oh,
you might say "do not allow any source routed packets", but is that
clearly a better match than "host A to host B" or do all of those kind
of rules now have to have "host A to host B without source routing"?
Now even if I had "no packets with source routing" in there, is that
necessarily a better match than "host A to host B" ?  I'm sure you might
come up with "other" solutions but do they necessarily fit solely within
the "best match" category or require "extra" action?

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards