'Re: IP Filters?'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       firewalls-gc
Subject:    Re: IP Filters?
From:       "Fernando da Silveira Montenegro" <montenegro () nutec ! com ! br>
Date:       1997-07-03 15:57:51
[Download RAW message or body]

Hi!

>Just guessing, but you ought
>to be able to get 80%-90% or more of all packets to hit within the first
>half-dozen or so rules.

If you sort your rules nicely, you can decide on the majority of the
packets within the first few rules. The problem arises when you specify a
number of denys before the catch-all permit rule (remember, my environment
is an ISP, where high ports are allowed and expected).

For instance,  if you look at the numbers below, you'll see that a LOT of
UDP traffic (over 99.5% of it, as a matter of fact) had to follow at least
3 UDP-only rules, and that's because I can use the "range" operator (on
other filtering engines, such as Livingston's, I'd need an additional 4
rules). With TCP, the number is a bit better because the huge huge
majority (93.5%) matches the first rule, for "established" connections,
but still, each server that I describe (such as the ficticious SMTP server
below) adds more and more TCP rules. And I have quite a few servers...
    permit tcp any any established (73048149 matches)
    deny   udp any any range 135 139 (176027 matches)
    deny   udp any any eq sunrpc
    deny   udp any any eq 2049 (164 matches)
    permit udp any any (36431719 matches)
    permit tcp any host 192.168.1.1 eq smtp (53081 matches)
    permit tcp any host 192.168.1.1 eq 113 (240630 matches)
    deny   tcp any host 192.168.1.1 (520 matches)
    deny   tcp any any range 135 139 (407 matches)
    deny   tcp any any eq sunrpc
    deny   tcp any any eq 2049 (38 matches)
    permit tcp any any (4749786 matches)
    permit icmp any any (837948 matches)

I don't know how the routers implement the filtering mechanism (separate
table for UDP, TCP, IP, ICMP, ...?) but in the worst case (simple table
lookup), I'll have to have 5% of my TCP traffic go through 150-200 rules.
That is what worries me.

Am I making sense or just making a fool of myself by having this concern?
I mean, is the perfomance penalty noticeable?

>--
>KH
>
Fernando
--
Fernando da Silveira Montenegro     Nutec Informatica
System/Network Administrator        Sao Paulo, SP, BRAZIL
mailto:montenegro@nutec.com.br      http://www.nutecnet.com.br
voice.:+55-11-5505-5728             #include <std_disclaimer.h>

[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic