excellent article at:
http://www.checkpoint.com/techsupport/documentation/FW-1_VPN-1_performance.html
put the most frequently access rules at the top.
also fgood articles at the wittys.com site.
regards
Paul Messer wrote:
> Dear All,
>
> someone please give me their opinions....
>
> Our rule base has been left unattended for a little while...I know the in's
> and out's of creating rules and stuff like that...but I was thinking of a
> reorganisation....
>
> Is it better to put all the accept rules at the top so that these are
> executed first or is it better to specify except for the clean up rule at
> the end the drops first ?
>
> On another but related note..why does FW-1 use a top down hierarchical
> approach when by common consent the most effective method of sorting, which
> is essentially what happens when a decision to either drop or accept a
> packet is made, is binary sorting where by the firewall makes decisions
> based on source and destination if source and destination is in my allowed
> table allow it to the next sort level...why troll through 10 rules checking
> to see everytime if the source, destination and service rule x is complied
> with ?
>
> I'm probably not explaining myself very well but I think you'd get the
> jist of what I'm saying...
>
> i.e.....
> 1. source 10.50.10.10 ..is it allowed to 10.10.50.20 ....answer no , drop
> packet
> 2. source 10.50.10.10 ...is it allowed to 10.10.50.10 ....answer yes , goto
> next level
> 3. source 10.50.10.10 ... is it allowed to use port 25 .....answer yes,
> accept packet through
> 4. source 10.50.10.10 ... is it allowed to use port 80 ... ..answer no,
> drop packet
>
> This is kind of what I mean ..binary sorting I'm reliably informed.
>
> The example of which I'm told is...
>
> a b c d e f g h i j k l m n o p q r s t u v w x y z
>
> M is the middle letter and is known...you submit letter T...the sort asks
> is T greater than M answer yes...remove letters a - l...a new mid point is
> known ..i.e. U and so on until all you have is T...
>
> There may be little difference in what FW 1 does in terms of it's rule
> base.... for example we have rules something like this;
>
> 1. source Any destination 10.10.50.10 service (port) 25 Accept...
>
> this is fine but if this rule is rule 9 fw has to scan down 8 rules before
> it gets to this one...if all the allows were known before the packet even
> reached the firewall you could save some time ?
>
> Is that logical...any how someone much brighter than me and can be bothered
> to please explain it ;-)...
>
> thanx ;-)
>
> Paul Messer
> PC & Network Support Manager
> Taylor & Francis Group Plc
>
> ================================================================================
> To unsubscribe from this mailing list, please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ================================================================================
--
Declan McKibben
Project Manager
IT Development
RTE
Donnybrook
Dublin 4
Ireland
t +353-1-2083698
f +353-1-2083080
e [EMAIL PROTECTED]
================================================================================
To unsubscribe from this mailing list, please see the instructions at
http://www.checkpoint.com/services/mailing.html
================================================================================
