Firewalls: Re: filter rule order application

Firewalls
(December 1992)

Indexed By Thread: [Previous] [Next]

Subject:	Re: filter rule order application
From:	Brent Chapman <brent @ GreatCircle . COM>
Date:	Sat, 12 Dec 92 05:53:51 -0800
To:	Firewalls @ GreatCircle . COM
In-reply-to:	Your message of Sat, 12 Dec 92 02:13:23 PST

phr @
 napa .
 Telebit .
 COM (Paul Rubin) writes:

# I still don't understand why anyone would want to change the order of
# the filters to something other than most-specific-first.  By
# comparison, the routing tables are most-specific-first and nobody has
# complained.  The example in "Network (In)security..." can easily be
# done correctly with most-specific-first order.

Routing tables only have one set of addresses to deal with; it's clear
that you order them by most-specific-destination-address.  Filtering
tables have two sets of addresses to deal with; it's not clear that
it's always right to order them by destination address OR by source
address.

What seems clear to me is that it's much simpler for both the user and
the developer to just leave the damn rules in the order the
administrator specified.  Even if that order is not "optimal" by some
metric, there's a greater chance that the user will understand what's
going on if you don't introduce these extra complications like rule
reordering.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Indexed By Date	Previous:	Firewalls Digest V1 #48 From: phr @ napa . Telebit . COM (Paul Rubin)
Indexed By Date	Next:	Re: packet filter metalanguage From: smb @ research . att . com
Indexed By Thread	Previous:	Firewalls Digest V1 #48 From: phr @ napa . Telebit . COM (Paul Rubin)
Indexed By Thread	Next:	[no subject] From: <LJI01%ALBNYDH2 . bitnet @ UACSC2 . ALBANY . EDU>