Robert
I know / agree that by FW-1 can inspect both inbound and outbound traffic..
My concern is having different rulebases for inbound and outbound traffic..
Say my FW1 rulebase has 20 rules - 10 for inbound traffic and 10 for
outbound. Consider an incoming packet. It will be matched against all the 20
rules (the extreme case). Instead of the one rulebase, if my firewall had 2
rulebases (one for inbound traffic with 10 rules and one for the outbound
with 10 rules), the inbound packet will be matched against only a maximum of
10 rules.. The inbound packet won't be matched against the 10 rules for
outbound traffic.. Won't this enhance performance?
Sorry if I'm not clearly expressing my question..
Sam
-----Original Message-----
From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED]]On Behalf Of Robert MacDonald
Sent: Wednesday, November 15, 2000 3:25 AM
To: [EMAIL PROTECTED]; [EMAIL PROTECTED]
Cc: [EMAIL PROTECTED]
Subject: Re: Different Rulebases for incoming and outgoing traffic..
Samuel,
Well fw1 does have the ability to inspect inbound and
outbound. You do this by setting the "Apply Gateway Rules
to Interface Direction" to 'Eitherbound'.
As for increased performance - nope. You basically double
the performance _hit_.
See http://www.phoneboy.com/fw1/faq/0102.html for more
info. You can search www.securepoint.com for comments
on the good and evils of doing the above.
Robert
- -
Robert P. MacDonald, Network Engineer
Team Lead, e-Business Infrastructure
G o r d o n F o o d S e r v i c e
Voice: +1.616.261.7987 email: [EMAIL PROTECTED]
>>> "Samuel Kindrol" <[EMAIL PROTECTED]> 11/14/00 4:44:28 PM >>>
>Pardon me if my question is stupid or irrational..
>
>In Checkpoint FW-1 there is only one rulebase against which both incoming
and outgoing traffic is
>matched. Instead of this if there were two different rulebases (sets of
rules) for incoming and outgoing
>wouldn't it give better performance?
>
>Why is this not there? Or is this the way the policy/rulebase works after
compilation?
>
>I think this feature is there in IPChains !!!
>
>Thanks
>Sam
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
