On Sat, Jun 13, 2009 at 5:24 PM, Tom Eastep <[email protected]> wrote:
>
> By definition, SOURCE = 'all:<ip>' implies that packets with the given
> source IP address can originate both on the firewall itself and outside
> of the firewall. Clearly, that isn't possible in any sane network.
> Similarly, where ipsec is involved, the rule says "I don't care whether
> traffic from this IP address is encrypted or not". So I believe a rule
> with such a SOURCE would imply that the user isn't thinking clearly
> about his firewall requirements.
>
>
I don't think this answers my question very well Tom.
If people care about their IPSec tunnels then they should manage their
firewall more appropriately for sure, but I'm of the opinion that that is
the exception.
The case I have is more of where I'd like to push generic rules without
needing to know the naming or configuration of each and every zone and it's
interior or internet facing delegation. I can gleam that information from
existing state, but this seems unnecessarily complex when an all:<ip> rule
would suffice. In that case no one particularly cares if the traffic
originates on $FW or interior zones, those rules just will never match.
Simply put, if there are 3 internet facing zones and one local one it just
overcomplicates the configuration to have the same rule repeated 3 times.
In addition to this, the very fact that I'm creating a host specific rule
should point to the fact that I'm aware of the host being trusted.
------------------------------------------------------------------------------
Crystal Reports - New Free Runtime and 30 Day Trial
Check out the new simplified licensing option that enables unlimited
royalty-free distribution of the report engine for externally facing
server and web deployment.
http://p.sf.net/sfu/businessobjects
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
