Firewall Wizards mailing list archives
Re: Rationale for BSD (I)PF rule order?
From: Darren Reed <darrenr () reed wattle id au>
Date: Sat, 10 May 2003 15:10:25 +1000 (EST)
In some email I received from Stewart, John, sie wrote:
It would be more understandable to say "not pets allowed, except for goldfish and iguanas" than to say "Goldfish and iguanas are allowed in my apartment. No other pets are allowed". Eventhough the latter would sound more natural to a computer, it is human beings who will maintain the pet rules (or in this case, firewall rules).Or, IMHO, even better than first or last fit is "best" fit. This is definitely the most "human" way of understanding firewall rules. You don't have to bother with which order they are in at all: - No pets are not allowed - Goldfish and iguanas are allowed ....are the two rules in the ruleset, in any order. This is the way Raptor handles it, and when it looks for a rule match, it starts at the most specific. If a goldfish comes in, the goldfish/iguana rule matches. If a cat comes in, the general pet rule matches. I don't like everything about Raptor, but the rule matching is definitely something I do. I'm not aware of any other products or open source projects which do anything similar, but perhaps some do.
My question to you is, how do you know their firewall works in this way and this isn't just a view given to you by the application interface to the back end? That aside, there are a few papers around on how to evaluate firewall rules better from a point of view that centers around on finding the best possible match for a given packet as early as possible. This is sort of aligned to what you're describing here. What this really comes down to is how you think of the "problem" (access control). This seems to be a fairly abstract concept where different people think of what they want in a different way. You appear to like the idea of "best match" whereas others might prefer explicit listing with a net at the top (default block) to stop everything but a few or to siphon off what you want to allow and have a bucket at the bottom to catch the rest. I'm not going to say that one way or another is the correct mode to think of this problem in, but what I will say is that "best match" rings alarms in my head. Why? Because when it comes to networking, the rule that "best matches" a packet could result in unexpected behaviour if the rule that is the "best match" is not as precise as it should be or it results in "extra details" being ignored. If, for example, your firewall has 4 networks going through it and the best match rule for a packet is "allow host a to talk to host b", then what does this allow for in the case of source routed packets? Oh, you might say "do not allow any source routed packets", but is that clearly a better match than "host A to host B" or do all of those kind of rules now have to have "host A to host B without source routing"? Now even if I had "no packets with source routing" in there, is that necessarily a better match than "host A to host B" ? I'm sure you might come up with "other" solutions but do they necessarily fit solely within the "best match" category or require "extra" action? Darren _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: Rationale for BSD (I)PF rule order?, (continued)
- Re: Rationale for BSD (I)PF rule order? Henning Brauer (May 09)
- Re: Rationale for BSD (I)PF rule order? Holger Kipp (May 09)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 09)
- Re: Rationale for BSD (I)PF rule order? Barney Wolff (May 10)
- Re: Rationale for BSD (I)PF rule order? David Pick (May 10)
- Re: Rationale for BSD (I)PF rule order? Mikael Olsson (May 09)
- RE: Rationale for BSD (I)PF rule order? Smith Gary-GSMITH1 (May 09)
- RE: Rationale for BSD (I)PF rule order? Stewart, John (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Gary Flynn (May 10)
- Re: Rationale for BSD (I)PF rule order? Darren Reed (May 10)
- Re: Rationale for BSD (I)PF rule order? Avishai Wool (May 11)
- Re: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?) Mikael Olsson (May 09)
- Re: Rationale for BSD (I)PF rule order? Bill Royds (May 11)
- Re: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Ben Nagy (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)
- RE: Rationale for BSD (I)PF rule order? Marcus J. Ranum (May 12)
- RE: Rationale for BSD (I)PF rule order? Paul Robertson (May 12)