I was playing with the Match_Any on duplicate services just to see what gets hit when. I was debugging a H323 problem.
So when I created a second Port 80 HTTP with NO Inspect handler and left it checked as Match Any (I did have it checked)
In this rulebase
I got this error
But when I unchecked it (like you see above) I was able to install and browse with it.
SO what service did it use for browsing? The standard HTTP or the Generic?
What happens if I telnet to port 80 and type in junk??
They both use the Standard HTTP. Interesting Huh??
OK, get ready to see something even cooler!
Swap the services in the rulebase
What do you think will happen????
Pretty neat?? The INSPECT handlers do not get invoked even though the header was a HTTP GET command.
Who Cares?So the service logic is pretty dumb and if you have a couple conflicting services in some
huge buried service groups, then you better know which one gets hit first.
So lets look at the ANY rule.
I fix up the rulebase and make both services “Match Any”
Look what happens. This is good.
Try it anyways and OK the standard one gets hit.
So I take OFF the “Match Any” from the Generic HTTP. It all installs fine and see what we get.
Which seems OK. It favors the INSPECT script. Not sure what the INSPECT is doing if it allows Telnet of garbage, but that’s the deal McNeal – beggars can’t be choosers.
Summary:
1) If there are conflicting ports in a rule, the first one found will be used. So if you have huge groups of services make sure there are not any conflicts OR make sure you know which one will be hit first.
2) The “Match For Any” flag is used to put a services into the “Any” group. Note that the bigger this “Any” group is, the slower the rulebase will be so use it judiciously. If there are conflicts in the “Any” group, then the INSPECT enabled service seems to be favored (but I can’t verify that).
3) Services like H323 are weird because (IMHO) CP’s implementation is flawed (see my previous blog). So if you create new generic services make sure you call them out explicitly in the rule and don’t rely upon the “Any” rule to catch packets that drop from your rule because you will hit the INSPECT H323 rule and not the Generic rule.