Date: Fri, 15 Dec 1995 17:08:26 -0800 From: Lyndon Nerenberg (VE7TCP) <lyndon@orthanc.com> To: Luigi Rizzo <luigi@labinfo.iet.unipi.it> Cc: hackers@freebsd.org Subject: Re: Order of rules in ip_fw chain Message-ID: <199512160108.RAA11261@multivac.orthanc.com> In-Reply-To: Your message of "Fri, 15 Dec 1995 20:50:22 %2B0100." <199512151950.UAA00783@labinfo.iet.unipi.it>
next in thread | previous in thread | raw e-mail | index | archive | help
>>>>> "Luigi" == Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:
Luigi> Priorities are nice, but kind of hard to
Luigi> implement. Moreover, an ordering between rules with the
Luigi> same priority is still required to achieve a deterministic
Luigi> *and* easili predictable behaviour.
Yes!
Luigi> Whenever I need, I modify the script and re-run it. Sure,
Luigi> there is a hole in between the two commands where unwanted
Luigi> connections might get in, but the probability is quite low
Luigi> *and* a simple change to the 'flush' command can allow the
Luigi> firewall to set the default policy as well.
This could be worked around by implementing locks around the filter
updates. Something like:
ipfw lock # temporarily block everything
[ make updates]
ipfw commit # make new rules live
Luigi> All in all, I would just try to make additions to the
Luigi> firewall chain be stored in the same order as they are
Luigi> made.
Yes! The interface must be simple and easily understood lest people
get chomped on by unintended surprises. (Cheswick and Bellovin explain
this well in their book.) It would also be nice if the software and
documentation agreed on the point where a packet falls out due to a
positive or negative match on the filtering rules.
--lyndon
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?199512160108.RAA11261>