Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Rule lookup strategies (Was: Rationale for BSD (I)PF rule order?)

From: Gary Flynn <flynngn () jmu edu>
Date: Sat, 10 May 2003 04:41:14 -0400
Mikael Olsson wrote:


"Stewart, John" wrote:
Or, IMHO, even better than first or last fit is "best" fit. This is definitely the most "human" way of understanding firewall rules. You don't have to bother with which order they are in at all: 

I've never worked with this myself, but I've heard people say
"it works for small configs, but can do unexpected/unwanted things for large ones". 

What'd your thoughts on that be?
I'm thinking along the lines of "do foo to 0.0.0.0/0 -> 10.0.0.2/32, port 80-81", 
"do bar to 0.0.0.0/0 -> 10.0.0.2/31, port 80".

Which one is more specific? There's one IP and two ports
in the first one, and two IPs and one port in the other one.
(Or subtitute for various other IP and/or protocol/port
combinations for other interesting problems).
Precisely. "Best" is in the eyes of the algorithm and it would seem to add more complexity and uncertainty.. I don't want any type of assumptions on the part of the firewall. I want it fully deterministic and to do exactly what I say and nothing more. It should not make assumptions for me on "what is best". Next we'll have a 
little paper clip fellow running around the GUI making suggestions. :)


_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: