On Mon, 2002-12-09 at 09:09, Daniel Hartmeier wrote: > Just because a connection is allowed in on one interface doesn't mean I > want to allow it out through ANY of the other interfaces. I see > filtering on an interface as a guard standing at a door. Just because > one guard let you into the house doesn't mean you may leave the house > through any door you like. You have to pass each guard.
Exactly. BenR, what you're seeing here is not a poor design decision. Rather, you've finally been given the fine-grained ability to control everything on your interface(s). How simple or complex these rules become is entirely up to you. Obviously, this level of complexity makes a front-end/wrapper program that much more difficult to code for. Linux Netfilter offers a comparable level of granularity. However, the iptables syntax is MUCH more obscene. I've really learned to appreciate the philosophies behind the PF engine over a very short period of time (skip steps, for example). -J.
