"William C. Fenner" <fenner @
cmf .
nrl .
navy .
mil> writes:
# On Fri, 8 Jul 1994 14:45:47 -0400 John Schnizlein wrote:
# > As filter statements are added they go at the top (highest precedence)
# > of the list (the opposite of Cisco) except for the default specification,
# > which is at the end if present.
#
# Filters actually get inserted into the list in sorted order by number of
# bits in the netmask. You are supposed to be able to enter filters in any
# order and they will still come out the same, but there are some bugs, at
# least in their latest release, 2.3 .
#
# Bill
Those bugs have been there forever; I've given up on them ever getting
fixed.
This "feature" of the NetBlazer was the original impetus
behind the "order dependency" example in my "Network (In)Security
through IP Packet Filtering" paper from a couple of years ago
(available for anonymous FTP:
ftp://ftp.greatcircle.com/pub/firewalls/papers/chapman/pkt_filtering.ps.Z
).
-Brent
--
Brent Chapman | Great Circle Associates | Call or email for info about
Brent @
GreatCircle .
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates
|
|
