I will give you my personal opinion to your questions. I personally like
the way rules are processed in the Checkpoint firewall. It starts at rule
number 1 and if this rule applies to the packet and action is taken if this
rule does not apply it goes to the next rule. This is very easy to
understand and for troubleshooting a rule base it is very easy. The way
that I organize my rules is the following, I start with drop/reject rules
that apply to everything first, I then move to less explicit drops and
finally I will put in accept rules only if they must be prior to a drop
rule. Then the end of my rule base with the exception of the final rule is
the accept rules. A very basic rule base in my firewall would look
something like:
Rule from to for
action
1 ANY ANY
unacceptable-protocols drop
2 Internal-Addresses not-internal-addresses http->content-screen
accept
3 Internal-Addresses not-internal-addresses ftp->content-screen
accept
4 Internal-Addresses not-internal-addresses allowed-protocols
accept
5 Internal-Addresses not-internal-addresses
smtp->outbound-content-screen accept
6 not-internal-addresses Internal-addresses
smtp->inbound-content-screen accept
7 ANY ANY ANY
drop
This first blocks anything we never want to allow, then we have the accepted
rules in order of heaviest to lightest, and finally block anything that
hasn't been explicitly allowed or blocked. I have also found that if you
correctly size your firewall, the amount of time that it takes to process
packets is actually very quick, first the state table is checked then if
there is nothing that applies, then the rule base is used and the processing
of a packet in the rule base seems to be very fast.
Jim Wentzel
-----Original Message-----
From: Paul Messer [mailto:[EMAIL PROTECTED]]
Sent: Thursday, July 06, 2000 7:52 PM
To: [EMAIL PROTECTED]
Subject: [FW1] A point of principal
Dear All,
someone please give me their opinions....
Our rule base has been left unattended for a little while...I know the in's
and out's of creating rules and stuff like that...but I was thinking of a
reorganisation....
Is it better to put all the accept rules at the top so that these are
executed first or is it better to specify except for the clean up rule at
the end the drops first ?
On another but related note..why does FW-1 use a top down hierarchical
approach when by common consent the most effective method of sorting, which
is essentially what happens when a decision to either drop or accept a
packet is made, is binary sorting where by the firewall makes decisions
based on source and destination if source and destination is in my allowed
table allow it to the next sort level...why troll through 10 rules checking
to see everytime if the source, destination and service rule x is complied
with ?
I'm probably not explaining myself very well but I think you'd get the
jist of what I'm saying...
i.e.....
1. source 10.50.10.10 ..is it allowed to 10.10.50.20 ....answer no , drop
packet
2. source 10.50.10.10 ...is it allowed to 10.10.50.10 ....answer yes , goto
next level
3. source 10.50.10.10 ... is it allowed to use port 25 .....answer yes,
accept packet through
4. source 10.50.10.10 ... is it allowed to use port 80 ... ..answer no,
drop packet
This is kind of what I mean ..binary sorting I'm reliably informed.
The example of which I'm told is...
a b c d e f g h i j k l m n o p q r s t u v w x y z
M is the middle letter and is known...you submit letter T...the sort asks
is T greater than M answer yes...remove letters a - l...a new mid point is
known ..i.e. U and so on until all you have is T...
There may be little difference in what FW 1 does in terms of it's rule
base.... for example we have rules something like this;
1. source Any destination 10.10.50.10 service (port) 25 Accept...
this is fine but if this rule is rule 9 fw has to scan down 8 rules before
it gets to this one...if all the allows were known before the packet even
reached the firewall you could save some time ?
Is that logical...any how someone much brighter than me and can be bothered
to please explain it ;-)...
thanx ;-)
Paul Messer
PC & Network Support Manager
Taylor & Francis Group Plc
============================================================================
====
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
============================================================================
====
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
