Firewalls: Re: [FW1] rule set

Firewalls
(February 1997)

Indexed By Thread: [Previous] [Next]

Subject:	Re: [FW1] rule set
From:	jerald . josephs @ Ebay . Sun . COM (Jerald Josephs)
Date:	Tue, 11 Feb 1997 18:05:10 -0800
To:	oliver @ hg . uleth . ca, jkerr2 @ csc . com
Cc:	fw-1-mailinglist @ us . checkpoint . com, firewalls @ GreatCircle . COM

> From fw-1-mailinglist-owner @
 us .
 checkpoint .
 com  Tue Feb 11 13:44:17 1997
> X-Authentication-Warning: loudecho.us.checkpoint.com: majordom set sender to owner-fw-1-mailinglist @
 us .
 checkpoint .
 com using -f
> Date: Tue, 11 Feb 1997 13:14:56 -0500
> From: John Kerr <jkerr2 @
 csc .
 com>
> MIME-Version: 1.0
> To: "Jeffrey L. Oliver" <oliver @
 hg .
 uleth .
 ca>
> CC: "fw-1-mailinglist @
 us .
 checkpoint .
 com" <fw-1-mailinglist @
 us .
 checkpoint .
 com>,
>         "firewalls @
 greatcircle .
 com" <firewalls @
 greatcircle .
 com>
> Subject: Re: [FW1] rule set
> Content-Transfer-Encoding: 7bit
> 
> Jeffrey L. Oliver wrote:
> > 
> > G'Day,
> > 
> > Is there a prefered order for the rule set in FW-1?
> > 
> > regards,
> > Jeff
> > 
> > 
> >     ---------------------------------------------------------------
> > BEGIN:VCARD
> > FN:Jeffrey L. Oliver
> > N:Oliver;Jeffrey L.
> > ORG:University of Lethbridge
> > ADR:;;4401 University Drive;Lethbridge;Alberta;T1K 3M4
> > EMAIL;INTERNET:oliver @
 hg .
 uleth .
 ca
> > TITLE:System Support Specialist
> > TEL;WORK:(403) 329-5162
> > TEL;FAX:(403) 382-7108
> > X-NAV-HTML:T
> > END:VCARD
> The rule set will start at rule number one and work its way down to the
> last rule or until a rule condition has been satisfied.
> 			John
> 

John is correct and since FW-1 does that for each and every packet, you
can minimize the time spent finding the corresponding rule by:

1) Start with rules that accept packets, followed by rules that block packets.

	This is my preferred logic, since I terminate my policy with a block
	all and log rule.

2) Start with rules that handle the most frequent services, followed by rules
   that handle the least frequent services.

	This has to do with the top-to-bottom sequential search.

3) End with a rule that drops all and logs it.

	Sometimes it is more important to know what you are blocking instead
	of what you are accepting.

4) Consider unchecking all of the Properties, forcing the policy to handle
everything.  This enables you to
			a) WYSIWYG
			b) log everything

   Not necessary, but it is an option that you might want to have known about.



    /\  Jerald E. Josephs
   \\ \  Course Developer - Network Security
  \ \\ /  Sun Educational Services
 / \/ / / 
/ /   \//\ 
\//\   / / 
 / / /\ /
  / \\ \  Phone/VM: 408-276-0941
   \ \\  FAX: 408-276-1565
    \/  E-mail: jerald .
 josephs @
 EBay .
 Sun .
 COM

Follow-Ups:

strange behavior
From: Dave Sroelov <dsroelov @ pacbell . net>

Indexed By Date	Previous:	netscape remote admin requiring javascript (THANKS everybody) From: "Ron Snyder" <snyder @ roguewave . com>
Indexed By Date	Next:	RE: [NTSEC] NT Security list From: "DONAHUE, DAVID B (D4BDONA)" <d4bdona @ msg . ptss . com>
Indexed By Thread	Previous:	netscape remote admin requiring javascript (THANKS everybody) From: "Ron Snyder" <snyder @ roguewave . com>
Indexed By Thread	Next:	strange behavior From: Dave Sroelov <dsroelov @ pacbell . net>