Paul D. Robertson wrote:
>The new Watchguard software "automatically" decides ruleset evaluation
>order, and there's no easy way that I can find to figure out what order
>something's going to be evaluated in.
That's a chip-head thing, Paul. Remember - it's all about performance,
not security. By re-ordering the ruleset the firewall can evaluate the
rules in the fastest possible manner. I had this explained to me once
by an engineer who builds ASIC firewalls for a living - he thought it was
a very cool optimization.
When I suggested that they optimize the "deny all" default deny to the
top of the sequence, because then it'd really scream - it took him a
couple of seconds to laugh.
mjr.
_______________________________________________
firewall-wizards mailing list
firewall-wizards_at_honor.icsalabs.com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Received on Jul 05 2005
Intro
