Re: Opinion: Worst interface ever.

["Paul D. Robertson" <paul () compuwar net>]

On Wed, 6 Jul 2005, Darren Reed wrote:

> How do you audit firewall-1 ?  Do you ask the kernel module for the rules
> *it* has loaded or do you just accept what the gui gives you ?

Absent any indication that there's stuff going on that shouldn't be, what
the GUI gives out should suffice if you're also testing with live packets.

> Does FW-1 tell you how it optimises rules when it compiles your ruleset ?
> Or does auditing fw-1 primarily revolve around testing ?

In theory, optimization should impact performance (which is why ordering
rules is important)- rejecting the biggest pile of rejects or accepting
the largest amount of permitted traffic first should speed things up.  If
optimization changes behavior, then things get um, "interesting"- which is
why knowing what fields optimize over others is crucial, but knowing
which addresses take precedence over others is just nice to have.

Paul
-----------------------------------------------------------------------------
Paul D. Robertson      "My statements in this message are personal opinions
paul () compuwar net       which may have no basis whatsoever in fact."
_______________________________________________
firewall-wizards mailing list
firewall-wizards () honor icsalabs com
http://honor.icsalabs.com/mailman/listinfo/firewall-wizards