Re: Opinion: Worst interface ever.

["Paul D. Robertson" <paul () compuwar net>]

On Tue, 5 Jul 2005, Marcus J. Ranum wrote:

> That's a chip-head thing, Paul. Remember - it's all about performance,
> not security. By re-ordering the ruleset the firewall can evaluate the
> rules in the fastest possible manner. I had this explained to me once
> by an engineer who builds ASIC firewalls for a living - he thought it was
> a very cool optimization.

I don't mind the optimization[1], I mind the fact that the UI won't tell
me how the rules are optimized.  I mind that I can't seem to find the
logging software on the disk the UI came on, so I can't even see what the
heck rule is making the box send out ICMP port unreachables.  I mind that
following the instructions doesn't produce the results I expect.

If I ever have to audit one of these things, I'm charging extra.

> When I suggested that they optimize the "deny all" default deny to the
> top of the sequence, because then it'd really scream - it took him a
> couple of seconds to laugh.

I bet!

Paul
[1] Caveat:  I'd like to be able to override it in a perfect world.
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards