Re: Rationale for BSD (I)PF rule order?

[Avishai Wool <avishai_w () yahoo com>]

IMHO, it's worse than Darren wrote. "best match" comes to us
from the routing world, where matching is almost always one-dimensional:
a router cares (almost) only about the destination IP address.
In one dimension, "best match" semantics are well defined.

but a firewall has to deal with at least 4 dimensional matching:
source & destination IP addresses, source & destination port numbers.
in 4 dimensions, "best match" is ill-defined.

suppose you had 2 rules:
 1.   from anywhere, to host x, with any service, pass
 2.   from anywhere, to anywhere, with service y, drop.

what do you do with traffic from somewhere to x with service y?
which rule is a better match? I grant you that you could 
impose some priorities on the fields to break such ties, but
this only makes the situation more confusing.

FYI, Cisco PIX used "best match" semantics up to v4.4 on "outbound"
rules, and that was horribly confusing IMHO. They switched to
normal "first match" semantics with the access-list commands of
v5.0.

Avishai

--- Darren Reed <darrenr () reed wattle id au> wrote:
> In some email I received from Stewart, John, sie wrote:
> > > It would be more understandable to say "not pets allowed, except for
> > > goldfish and iguanas" than to say "Goldfish and iguanas are 
> > > allowed in my
> > > apartment. No other pets are allowed". Eventhough the latter 
> > > would sound
> > > more natural to a computer, it is human beings who will 
> > > maintain the pet
> > > rules (or in this case, firewall rules). 
> >
> > Or, IMHO, even better than first or last fit is "best" fit. This is
> > definitely the most "human" way of understanding firewall rules. You
> > don't have to bother with which order they are in at all:
> >
> > - No pets are not allowed
> > - Goldfish and iguanas are allowed
> >
> > ....are the two rules in the ruleset, in any order.
> >
> > This is the way Raptor handles it, and when it looks for a rule match,
> > it starts at the most specific. If a goldfish comes in, the goldfish/iguana
> > rule matches. If a cat comes in, the general pet rule matches.
> >
> > I don't like everything about Raptor, but the rule matching is definitely
> > something I do. I'm not aware of any other products or open source
> > projects which do anything similar, but perhaps some do.
>
> My question to you is, how do you know their firewall works in this way
> and this isn't just a view given to you by the application interface to
> the back end?
>
> That aside, there are a few papers around on how to evaluate firewall rules
> better from a point of view that centers around on finding the best possible
> match for a given packet as early as possible.  This is sort of aligned to
> what you're describing here.
>
> What this really comes down to is how you think of the "problem"
> (access control).  This seems to be a fairly abstract concept where
> different people think of what they want in a different way.  You
> appear to like the idea of "best match" whereas others might prefer
> explicit listing with a net at the top (default block) to stop everything
> but a few or to siphon off what you want to allow and have a bucket
> at the bottom to catch the rest.  I'm not going to say that one way or
> another is the correct mode to think of this problem in, but what I will
> say is that "best match" rings alarms in my head.  Why?  Because when it
> comes to networking, the rule that "best matches" a packet could result
> in unexpected behaviour if the rule that is the "best match" is not as
> precise as it should be or it results in "extra details" being ignored.
>
> If, for example, your firewall has 4 networks going through it and the
> best match rule for a packet is "allow host a to talk to host b", then
> what does this allow for in the case of source routed packets?  Oh,
> you might say "do not allow any source routed packets", but is that
> clearly a better match than "host A to host B" or do all of those kind
> of rules now have to have "host A to host B without source routing"?
> Now even if I had "no packets with source routing" in there, is that
> necessarily a better match than "host A to host B" ?  I'm sure you might
> come up with "other" solutions but do they necessarily fit solely within
> the "best match" category or require "extra" action?
>
> Darren
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () honor icsalabs com
> http://honor.icsalabs.com/mailman/listinfo/firewall-wizards


=====
Avishai Wool, Ph.D.,
http://research.lumeta.com/yash/   http://www.eng.tau.ac.il/~yash
yash () acm org     Tel: +972-3-640-6316  Fax: +972-3-640-7095

__________________________________
Do you Yahoo!?
The New Yahoo! Search - Faster. Easier. Bingo.
http://search.yahoo.com
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards