>From: Brent Chapman <brent @
GreatCircle .
COM>
>Date: Fri, 11 Dec 92 10:17:37 -0800
>Subject: Re: Firewalls Digest V1 #42
>
>phr @
napa .
Telebit .
COM (Paul Rubin) writes:
>
># I hope this list's readers don't mind my plugging the product I work
># on, but the Telebit NetBlazer can filter on all these parameters
># except for source port. We will probably add a source port parameter
># to a future release. We *do* listen to what users ask for.
>
>AND except for the fact that the NetBlazer reorders and recombines the
>rules in the filters something awful. In every release I've tried so
>far, there have been bugs in this procedure, and the NetBlazer has
>converted what should be a working rule set into an not-working pile
>of spaghetti.
I hope this doesn't turn out to be a case of "open mouth-insert
foot", but I believe that the current implementation works correctly.
Previous versions were unclearly specified and the implementation was
more complicated than the current one.
I still don't understand why anyone would want to change the order of
the filters to something other than most-specific-first. By
comparison, the routing tables are most-specific-first and nobody has
complained. The example in "Network (In)security..." can easily be
done correctly with most-specific-first order.
I don't think anyone here would oppose adding an option to let the
admin change the filter ordering if there was a good reason to add
such an option. But I think most of the gripes I've heard have been
due to confusion that will hopefully be cleaned up by the new
Netblazer software and manuals.
|
|
