Firewall Wizards mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Opinion: Worst interface ever.

From: "Paul D. Robertson" <paul () compuwar net>
Date: Tue, 5 Jul 2005 10:43:59 -0400 (EDT)
On Tue, 5 Jul 2005, Dave Piscitello wrote:


This is not correct. If you CHOOSE, the policy manager will order the
ruleset for you. Manual mode is available in the details view. Right-
click any policy and you can switch to manual mode and move policies
in whatever order you wish



Well, I didn't choose- it was just doing it.  Thanks though, I'll see if
this helps in the "set up a rule and have it actually work" case- the
major difference I could see in my original non-working PAT rule and the
one that did work was one had port set to client and the other said it
didn't care about the port- which to me seems equivalent.


evaluation order, there's no easy way that I can find to figure
out what order something's going to be evaluated in.


I don't understand this comment. The help page explains exactly how
the policies are ordered, precedence actions, etc.


Help wasn't working for me, and the interface was having major issues on
an idle Server 2003 system (menu bar was floating above the window it
lived in.)  Trying to figure out which rule was tripping the inbound
traffic really didn't end up helping anyway (logs said permitted, firewall
said ICMP port unreachable-) but I was frustrated by the lack of ability
to figure out why the system was generating unreachables for PAT or NAT
with a separate external address (I tried both) for one rule, but not for
another.


"Fireware Policy Manager automatically sorts policies from the most
detailed to the most general. Each time you add a policy, Policy
Manager compares the new rule with all the rules in your
configuration file. To set the precedence, Policy Manager uses these
criteria:

   1. Protocols set for the policy type
   2. Traffic rules of the To field
   3. Traffic rules of the From field
   4. Firewall action
   5. Schedule
   6. Alphanumeric sequence based on policy type
   7. Alphanumeric sequence based on policy name...

<additional details not cut-pasted>


When I suggested that they optimize the "deny all" default deny to the
top of the sequence, because then it'd really scream - it took him a
couple of seconds to laugh.


This is the policy order I have on my kids' subnet;-)


Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Previous By Date Next
Previous By Thread Next

Current thread: