Re: Firewalling Rules

Waldo Bastian (w.c.bastian@student.utwente.nl)
Sun, 2 Nov 1997 18:03:03 +0100 (MET)

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Uwe Ohse: "Re: Console freeze (third episode)"
Previous message: =?ISO-8859-1?Q? : "Re: Console freeze (third episode)"

> I don't think you can work with has tables easily: you don't know how
> specific a rule is going to hit this packet. So you cannot generate a
> usable hash-code from a packet that just came in that will point you
> towards the right firewall rule. If all rules would specify a complete
> host, then you'd be able to make a hash based on the source IP. However
> now you've got 32 possible netmasks that might make a rule match.

You can use hashing to lookup some sort of rule-cache.
When you receive a packet belonging to a given combination of src-adress/
src-port/dst-adress/dst-port it is likely you will receive more packets
with that combination in the future. You can then create a cache entry for
that combination indexed with a hash. Each time you receive a packet you
would have to look-up this cache first. If you have a hit you would still
have to check it is not some other combination which hashes to the same
hash-value.

Something similair is used in routers to reduce the cost of looking up
routing rules, i think (correct me if i'm wrong :). I can imagine though
a router to have a lot more routing rules than someone is going to have
firewall rules.

Waldo Bastian

Next message: Uwe Ohse: "Re: Console freeze (third episode)"
Previous message: =?ISO-8859-1?Q? : "Re: Console freeze (third episode)"