Firewall Wizards: Re: Is the order of the rules entered in iptables important?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Firewall Wizards mailing list archives

Re: Is the order of the rules entered in iptables important?

From: David Lang <david.lang () digitalinsight com>
Date: Mon, 5 Aug 2002 09:25:19 -0700 (PDT)

having worked with both types I think that the 'best fit' approach is
easier if you have small rulesets, but the 'rule order' approach offers
more precise control with a complicated ruleset.

one thing that makes the 'best fit' approach work on raptor is that since
it is a proxy based firewall you are not putting in two rules for each
traffic type, only one so some of the more obvious reordering problems
vanish.

David Lang

On 5 Aug 2002, Anton J Aylward, CISSP wrote:

Date: 05 Aug 2002 08:14:43 -0400
From: "Anton J Aylward, CISSP" <aja () si on ca>
To: David Lang <david.lang () digitalinsight com>
Cc: Christopher Hicks <chicks () chicks net>,
     firewall-wizards () honor icsalabs com
Subject: Re: [fw-wiz] Is the order of the rules entered in iptables
    important?

You should also check Brent Chapman's papers and the O'Reilly book he
co-authored with Elizabeth Zwicky.

Brent found that some routers try to optimize their filter rules and do
so in such a way that results in untoward effects.

I don't know which volume will be available to you, but in mine its in a
section:

  Choosing a filtering Packet Router
      It should apply rules in the order specified.

See if the problems he describes with the optimizations would apply to
you.

On Sun, 2002-08-04 at 23:14, David Lang wrote:

there are a few firewalls that apply rules in a 'best fit' strategy rather
then in order. Raptor (now Symantec Enterprise Firewall) is one example
that does this.

there was a debate on the pros and cons of this a year or so ago.

David Lang

On Thu, 1 Aug 2002, Christopher Hicks wrote:

On Thu, 1 Aug 2002, Kenny G. Dubuisson, Jr. wrote:

does the order in which rules are added for an iptables table matter?


Yes.  I'm not aware of many firewall ruleset system where the order
doesn't matter.

--
Anton J Aylward, CISSP        | http://groups.yahoo.com/group/ITTMG-Canada
System Integrity      | http://www.isc2.org
InfoSec Consulting    | http://www.issa-intl.org
Voice: (416) 497-0201         | http://www.issa-toronto.org
mailto:aja () si on ca        |

_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards

By Date By Thread

Current thread:

Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Is the order of the rules entered in iptables important? Christopher Hicks (Aug 01)
  - Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
    - Re: Is the order of the rules entered in iptables important? Anton J Aylward, CISSP (Aug 05)
    - Re: Is the order of the rules entered in iptables important? David Lang (Aug 05)
- <Possible follow-ups>
- Fw: Is the order of the rules entered in iptables important? Kenny G. Dubuisson, Jr. (Aug 01)
- Re: Fw: Is the order of the rules entered in iptables important? rob . roberson (Aug 01)