|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Re: [FW1] How many rules can exists in fw1 ?
Deepak Vaidya (dvaidya
clark.net)
Sun, 20 Sep 1998 08:00:21 -0400
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
- Next message: John McDermott: "Re: Penetration testing via shrinkware"
- Previous message: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- In reply to: John McDermott: "Re: Penetration testing via shrinkware"
- Next in thread: Euan: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Euan: "Re: [FW1] How many rules can exists in fw1 ?"
I was under the impression that it looked at the properties first, that
is where the rule 0 comes from and then the order of the rules. Anytime
that I have used the fw-1 and tried to setup conflicting rules, the
verify portion has always bombed.
- Deepak
Jennifer Galvin wrote:
>
> That's how it was explained to me in class. Plus, if you have a rule that
> requires encryption between two hosts, and then later on it allows no
> encryption between two hosts, FW1 will then pick the rule with less
> security, even though it comes after the 1st rule.
>
> Regards,
> Jennifer Galvin
>
> > Really?
> >
> > I'd always thought that packets were compared from the rulebase until a match was found..
> >
> > Try rule 0 first.. Nope does not match..
> > Try rule 1 next.. nope does not match..
> > Try rule 2 next.. nope does not match
> > ..
> > ..
> > ..
> > Try rule 25.. AHA.. we have a source AND dest AND service match.. is it allowed or not?
> >
> >
> >
> > > -----Original Message-----
> > > From: Jennifer Galvin [SMTP:jgalvindigex.net]
> > > Sent: Saturday, September 19, 1998 3:21 PM
> > > To: > Øyvind Olsen
> > > Cc: fw-1-mailinglistlists.us.checkpoint.com
> > > Subject: Re: [FW1] How many rules can exists in fw1 ?
> > >
> > >
> > >
> > > Whenever you edit an existing rulebase, and insert a new rule, more
> > > Inspect code is generated by the gui for the new policy. So, 500 rules =
> > > lots of code for the inspection engine to crank through before it decides
> > > what to do with the traffic. Remember, FW1 is a best-fit firewall, not a
> > > first-fit, so it will preview all rules before it determines which one
> > > best matches the traffic going in or out. This means the amount of
> > > Inspect code is probably directly proportional to the overhead the
> > > firewall is going to experience each time it needs to analyze traffic.
> > >
> > > In short, make it concise, since more rules may slow down your firewall.
> > >
> > > Regards,
> > > Jennifer Galvin
> > >
> > > >
> > > > Hi !
> > > >
> > > > Have anyone experimented with, say 500 rules, and measured how the
> > > > perfomance is affected ?
> > > >
> > > > I might set up a test myself, but thought I ask the Gurus first ...
> > > >
> > > > Regards,
> > > > Oyvind Olsen
> > > >
- Next message: John McDermott: "Re: Penetration testing via shrinkware"
- Previous message: Paul D. Robertson: "Re: Penetration testing via shrinkware"
- In reply to: John McDermott: "Re: Penetration testing via shrinkware"
- Next in thread: Euan: "Re: [FW1] How many rules can exists in fw1 ?"
- Reply: Euan: "Re: [FW1] How many rules can exists in fw1 ?"
This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT