On Tue, Dec 10, 2002 at 01:02:21AM +1100, Benjamin M.A. Robson wrote: > Not filtering on any interface is a -very- bad idea. As if the scenario > was that I had 3 > interfaces, and I only filtered on the Internet interface, I now have no > access control between the > 2nd and 3rd interfaces.
Then you filter on all three interfaces and create state on all of them. You have the choice. > When design decisions were being made, why was it decided not to replicate > the way IPFilter does > this (i.e. 1 rule would imply the necessity for the other an this would be > taken care of)? Just because a connection is allowed in on one interface doesn't mean I want to allow it out through ANY of the other interfaces. I see filtering on an interface as a guard standing at a door. Just because one guard let you into the house doesn't mean you may leave the house through any door you like. You have to pass each guard. For instance, if I have a three legged firewall with an external interface, a dmz and a client network, I want to allow external hosts to initiate connections to the dmz, so I allow those connections in on the external interface. But I sure don't want that state to pass any packets on the interface to the clients. Daniel
