Re: Opinion: Worst interface ever.

[Darren Reed <darrenr () reed wattle id au>]

> On Tue, 5 Jul 2005, Marcus J. Ranum wrote:
>
> > That's a chip-head thing, Paul. Remember - it's all about performance,
> > not security. By re-ordering the ruleset the firewall can evaluate the
> > rules in the fastest possible manner. I had this explained to me once
> > by an engineer who builds ASIC firewalls for a living - he thought it was
> > a very cool optimization.
>
> I don't mind the optimization[1], I mind the fact that the UI won't tell
> me how the rules are optimized.  I mind that I can't seem to find the
> logging software on the disk the UI came on, so I can't even see what the
> heck rule is making the box send out ICMP port unreachables.  I mind that
> following the instructions doesn't produce the results I expect.
>
> If I ever have to audit one of these things, I'm charging extra.

How do you audit firewall-1 ?  Do you ask the kernel module for the rules
*it* has loaded or do you just accept what the gui gives you ?
Does FW-1 tell you how it optimises rules when it compiles your ruleset ?
Or does auditing fw-1 primarily revolve around testing ?

For me, being able to audit the loaded configuration against what's
in a configuration file has been the primary design goals of ipfilter.

Darren
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards