I don't trust routing tables to influence filter rules. You set
securelevel = 2 to prevent filter rules modifications and then some BGP
fuckup opens your firewall wide open? Why do you need huge lists of
addresses in rule sets? I agree that duplicating them on multiple
interfaces is annoying, but that's what macros are for.
My routing tables are static, so BGP doesn't come into it. The
duplication is that I have to specify the same set of networks in the
script that sets up the routes and in the filtering rules.
Granted it's not the end of the world, I can live with it. But
conceptually I'm firewalling domains of machines connected to physical
interfaces. I still think it's much cleaner to be able to refer to
those domains of machines by reference to the physical interface.
I want to be able to say INSIDE, OUTSIDE, DMZ1, DMZ2, and have them
guaranteed to correspond to what's physically plugged in to those
ports. Curretnly it relies on my not screwing up with my macro
definitions.
-roy
