Firewalls: Re: Dynamically Re-arranged Access Lists?

Firewalls
(January 1995)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Dynamically Re-arranged Access Lists?
From:	Joe Matuscak <matuscak @ rohrer . com>
Date:	Fri, 27 Jan 1995 11:28:22 -0500 (EST)
To:	Stephen Harold Goldstein <steveg @ cseic . saic . com>
Cc:	firewalls @ greatcircle . com
In-reply-to:	<9501262128 . AA08758 @ cseic . saic . com>

On Thu, 26 Jan 1995, Stephen Harold Goldstein wrote:

> I just got back from ComNet '95 in D.C., and heard some rather
> disturbing "info" from a firewall vendor who shall remain nameless.
> He claimed that some manufacturer's routers (wouldn't specify) will
> re-arrange the order in which ACL entries are processed for efficiency
> reasons, possibly leading to unintended results such as packets getting
> through that should have been blocked.

That is certainly the case with Telebit NetBlazers up through the 
currently shipping version (2.3).  I think there are also other charming 
features like a (poorly documented) limit on the number of ports 
specified in a ACL where if you specify more than that number, it 
(silently) drops the additional ports.

Joe Matuscak
Rohrer Corporation
717 Seville Road
Wadsworth, Ohio 44281
(216)335-1541
Matuscak @
 Rohrer .
 com

References:

Dynamically Re-arranged Access Lists?
From: steveg @ cseic . saic . com (Stephen Harold Goldstein)

Indexed By Date	Previous:	IP Filtering PPP package??? From: Jeff Collyer <jeff @ bundy . cnet-pnw . com>
Indexed By Date	Next:	Re: Firewall-1 and TCP Sequence Number Spoofing From: Kenneth Lee <klee @ cmprime . att . com>
Indexed By Thread	Previous:	Re: Dynamically Re-arranged Access Lists? From: Paul Traina <pst @ cisco . com>
Indexed By Thread	Next:	Re: Dynamically Re-arranged Access Lists? From: Brent @ GreatCircle . COM (Brent Chapman)