> It is a linear lookup - that is the only way to do it and not screw up the
> order of the rules. And order is EXTREMELY important. A small change in
> the order of rules can wreck a filter's effectiveness.
Amen
> Also, put the rules you expect to have the most hits at the top. Like a
> 'permit tcp estab' rule on an input filter. Always put any anti-spoofing
> rules first, then follow with the most commonly hit. Since the filter is
> parsed only until a rul matches (or the end is reached with the implicit
> deny) it doesn't matter how long the list is. If the packet matchs on rule
> 4, it may as well only be 4 lines long, the rest is not parsed.
Some numbers from my border router's input filter illustrate MZ's point:
2 anti-spoofing rules: 9000 hits
permit tcp estab: 28000000
permit dns udp 800000
other udp rules 1900000
permit www syns 500000
all other rules 700000
So almost 90% of packets see a filter only 3 lines long. If I had
only one block of address space, I could put the source address anti-
spoof check into every rule, and almost 90% of packets would pass the
first rule.
(The numbers come from a cisco; ciscos count filter rule hits.)
BTW, those 9000 anti-spoofing hits are mostly bogus. When a dialup
user hangs up while a transfer from one of my own servers is in
progress, the route to that address disappears (actually it gets
marked invalid), and the subsequent packets to it fall through to the
default route out to Sprint, which of course just sends them back.
When I last built my output filter it hadn't yet occurred to me that I
needed to filter against packets addressed to my address space from
being sent out ...
-- Dick St.Peters, Gatekeeper, Pearly Gateway, Ballston Spa, NY stpeters@NetHeaven.com Owner, NetHeaven 518-885-1295/800-910-6671 Albany/Saratoga/Glens Falls/North Creek/Lake Placid/Blue Mountain Lake First Internet service based in the 518 area code