What Order Does FW-1 Apply The Rulebase?

[roadrunner]

What Order Does FW-1 Apply The Rulebase?
Various versions of the FireWall-1 documentation state that the rules are examined in the sequence they are presented in the rulebase. This is generally correct, but you must also take into consideration what is permitted by the "Properties" screens. The "Properties" rules will be enforced appropriately with respect to your rulebase. This means Properties rules marked "First" will be applied before your rulebase, "Before Last" will be applied between rules n-1 and n, and "Last" will be applied after your last rule.

There is one case where FireWall-1 does not process the rules in order but instead uses the rule that is most permissive: when authentication for HTTP, FTP, telnet, and rlogin is used and such a rule is matched in the rulebase. If during the in-order packet processing a rule matches the packet and it uses the security server for authentication (i.e. User Authentication), the rule that ends up being enforced is the "least restrictive" one. Client Auth, Session Auth, and content security rules are processed in-order.

To give you an idea of what this means, consider the following security policy:

No. Source Destination Service Action
1 Any web-server http
https Accept
2 Any external-mail-server smtp Accept
3 Any ftp-server ftp Accept
4 external-mail-server
internal-mail-server internal-mail-server
external-mail-server smtp Accept
5 DMZ-Admins@internal-nets dmz-net telnet
ftp User Auth
6 FW-Admins@internal-nets firewall telnet User Auth
7 Any firewall Any Drop
8 internal-nets Any http->uri_filter
ftp->ftp_filter Accept
9 internal-nets Any telnet
https Accept
10 Any Any Any Drop


Based on the rules and how the rulebase rules are applied, here is how things will apply themselves:


Everyone on the Internet will be able to access the http, smtp, and ftp server without any authentication from the firewall.
Mail will flow between the internal and external smtp servers.
Users in the DMZAdmins group who telnet or ftp from the internal-nets to the ftp server in the dmz-net will have authenticated access to all servers in the dmz-net. However, rule 3 appears before rule 5, so they will not be required to authenticate themselves at the firewall nor will their connection be folded into the appropriate security server. Ordering the rules differently will not solve this problem, but it would cause the connection to be folded into the security servers. If they were in different order, the more permissive rule would still apply (the current rule 3), so it wouldn't accomplish much.
You might think people who telnet from the internal-nets the firewall would get prompted for authentication by FireWall-1 because of rule 6. However, rule 9 is more permissive, so users are not authenticated by FireWall-1 when accessing the firewall via telnet. To fix this, you can simply change the destination field of rule 9 to read "NOT firewall".
When users on internal-nets attempts to access web sites via HTTP and FTP, they will be filtered according to the uri_filter and ftp_filter resources respectively. Accesses to ftp-server and web-server will not be content filtered because rules 1 and 2 also match traffic coming from internal-nets. These connections would not be folded into the HTTP Security Server, either.
All other types of traffic should be dropped per rule 10.
So what is a good "rule of thumb" when ordering the rules in your rulebases? Here's how I typically order my rulebase based on action types:


SecuRemote Encryption rules
Firewall to Firewall Encryption rules
Incoming "accept" rules
Outgoing "accept" rules
Client Authentication rules
Session Authentication rules
User Authentication rules
Clean-up rule
-- PhoneBoy - 10 Jan 2004


FAQForm
FAQs.Class: MiscellaneousFAQs
FAQs.OS:
FAQs.Version: