Re: [FW1] How many rules can exists in fw1 ?

DIGEX Grrrrrrrrrl (jgalvinschultz.cs.loyola.edu)
Thu, 24 Sep 1998 14:14:19 -0400 (EDT)

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
• Next message: sedwardssedwards.com: "Re: Content filtering"
• Previous message: David Collier-Brown: "Re: Penetration testing via shrinkware"
• In reply to: Joseph S. D. Yao: "Re: Re[2]: Penetration testing via shrinkware"

Well, yes. I would like to know why.

> It was you who mentioned it in the first place! If there is an encryption
> rule between two hosts, and then a rule later on that allows traffic
> between the two _without_ encryption, the second rule is used rather than
> the first - hence an exception to 'first fit'!
>
> >What do you mean exeption? How and why does the stateful inspection
> >module treat them differently?
> >
> >Well, in any case, that would explain it....
> >
> >Regards,
> >Jennifer Galvin
> >
> >>
> >> Nope, not in the case of encryption rules, which are an exception to the
> >> 'first fit' model.
> >>
> >> >I was under the impression that it looked at the properties first, that
> >> >is where the rule 0 comes from and then the order of the rules. Anytime
> >> >that I have used the fw-1 and tried to setup conflicting rules, the
> >> >verify portion has always bombed.
> >> >
> >> >- Deepak
> >> >
> >> >Jennifer Galvin wrote:
> >> >>
> >> >> That's how it was explained to me in class. Plus, if you have a rule
> that
> >> >> requires encryption between two hosts, and then later on it allows no
> >> >> encryption between two hosts, FW1 will then pick the rule with less
> >> >> security, even though it comes after the 1st rule.
> >> >
> >>
> >>
> >
> >
> >
>

• Next message: sedwardssedwards.com: "Re: Content filtering"
• Previous message: David Collier-Brown: "Re: Penetration testing via shrinkware"
• In reply to: Joseph S. D. Yao: "Re: Re[2]: Penetration testing via shrinkware"

This archive was generated by hypermail 2.0b3 on Sat Jul 17 1999 - 07:11:47 CDT