From owner-freebsd-hackers  Fri Dec 15 17:09:53 1995
Return-Path: owner-hackers
Received: (from root@localhost)
          by freefall.freebsd.org (8.7.3/8.7.3) id RAA02916
          for hackers-outgoing; Fri, 15 Dec 1995 17:09:53 -0800 (PST)
Received: from multivac.orthanc.com (root@multivac.orthanc.com [204.244.20.2])
          by freefall.freebsd.org (8.7.3/8.7.3) with ESMTP id RAA02905
          for <hackers@freebsd.org>; Fri, 15 Dec 1995 17:09:45 -0800 (PST)
Received: from localhost (lyndon@localhost) by multivac.orthanc.com (8.7/8.7) with SMTP id RAA11261; Fri, 15 Dec 1995 17:08:29 -0800 (PST)
Message-Id: <199512160108.RAA11261@multivac.orthanc.com>
X-Authentication-Warning: multivac.orthanc.com: Host lyndon@localhost didn't use HELO protocol
From: Lyndon Nerenberg (VE7TCP) <lyndon@orthanc.com>
To: Luigi Rizzo <luigi@labinfo.iet.unipi.it>
cc: hackers@freebsd.org
Subject: Re: Order of rules in ip_fw chain 
In-reply-to: Your message of "Fri, 15 Dec 1995 20:50:22 +0100."
             <199512151950.UAA00783@labinfo.iet.unipi.it> 
Date: Fri, 15 Dec 1995 17:08:26 -0800
Sender: owner-hackers@freebsd.org
Precedence: bulk

>>>>> "Luigi" == Luigi Rizzo <luigi@labinfo.iet.unipi.it> writes:

    Luigi> Priorities are nice, but kind of hard to
    Luigi> implement. Moreover, an ordering between rules with the
    Luigi> same priority is still required to achieve a deterministic
    Luigi> *and* easili predictable behaviour.

Yes!

    Luigi> Whenever I need, I modify the script and re-run it.  Sure,
    Luigi> there is a hole in between the two commands where unwanted
    Luigi> connections might get in, but the probability is quite low
    Luigi> *and* a simple change to the 'flush' command can allow the
    Luigi> firewall to set the default policy as well.

This could be worked around by implementing locks around the filter
updates. Something like:

	ipfw lock	# temporarily block everything
	[ make updates]
	ipfw commit	# make new rules live

    Luigi> All in all, I would just try to make additions to the
    Luigi> firewall chain be stored in the same order as they are
    Luigi> made.

Yes! The interface must be simple and easily understood lest people
get chomped on by unintended surprises. (Cheswick and Bellovin explain
this well in their book.)  It would also be nice if the software and
documentation agreed on the point where a packet falls out due to a
positive or negative match on the filtering rules.

--lyndon