Rules by order?

Comments

9 comments

  • Avatar
    Firewalla

    We are trying to avoid having ordering in the access control part. The major issue is that complexity usually will have a negative impact, and permutation to test by the user will be a lot more complex. 

    0
    Comment actions Permalink
  • Avatar
    Donny

    Don't see that one as you read the rules top to bottom as an if then matrix.

    At least can we make blocks take priority then?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    The system today is a block first and allows exceptions. (as a firewall, block everything and open some). This is the reason that allow is a higher priority. 

    For block to be higher priority, the system needs to be allow by default, which is something not common

    1
    Comment actions Permalink
  • Avatar
    Donny

    Conversely, if we allow outbound for 80/443 but wish to prevent machines 1, 2, 3 from having this access, we need block to take priority so that it overrides the allow on the more specific policy.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @donny rather than starting with the solution in mind, what is the problem you want to solve that you are currently having trouble with?

    0
    Comment actions Permalink
  • Avatar
    Donny

    As described above. Broad allows with discrete denies.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    @donny the question is why? Firewalla has built a system that I think can be summarized in a nutshell as: 

    1. Focus on simplicity. Don't require users to be Cisco certified. 
    2. Deliver a powerful solution that is easy to use. 

    Could Firewalla have made other design decisions? Three are certainly other options they could have pursued such as having the user prioritize rules as you suggest. But at this point in time, if I were Firewalla I would ask myself, "What can't users do that they are asking to do?" Not how but what. Having users prioritize rules is a how. What can't a user do now that is missing? Changing the how without a compelling reason is just a mess for users and a support nightmare. It is also a costly development exercise. 

    I have not found anything that can't be accomplished with the current system. That's why I asked you what is missing. I don't necessarily advise this in general, but today you could: 

    Disable the default Block All Ingress rule or use the DMZ to default allow all traffic and then use discrete denies. 

    That seems to satisfy at least part of what you are asking for. Or am I missing something?

     

    0
    Comment actions Permalink
  • Avatar
    Donny

    This is really easy on other devices.

    Rule 1: Block X for Group Kids
    Rule 2: Allow Internet access

    So, by default, adults and media boxes have open access. Anything placed in the group Kids gets blocked.

    0
    Comment actions Permalink
  • Avatar
    Donny

    And this is absolutely backwards:

    "Allow rules are always like exceptions. For example, if you block YouTube and ALLOW the USA region, the YouTube block will not take effect, since Youtube is in the USA, which is an exception."

    0
    Comment actions Permalink

Please sign in to leave a comment.