Bill Marquette wrote:
Anti-spoofing is important and a sufficient use case.
It certainly is. Only I think that having a rulebase per interface just for this is overengineering things, because it makes all other rule work (besides antispoofing) needlessly complicated. Scott Ullrich wrote:
why not tell us how you envision it should work.
Certainly! I'd like..... ===== (and the story begins) ===== My firewall should have a notion of network segments. Network segments can be many things, but here it means an IP address and a netmask. We'll call those, say, a "network definition", and when we need to be short, a "network". My firewall would have one pre-defined network called "External network". That network would per definition contain all IP addresses that are not in any of the other network definitions. In the GUI of my firewall, I would be able to assign to each interface a number of networks. (Details are sketchy - perhaps I can choose whether to also assign an IP in that network to the firewall, perhaps it's mandatory, perhaps the IP is an integral part of the network definition. I don't care..) One particular interface, the WAN interface, should automatically have added one network, namely the "External network". And voila, the firewall would know which networks live behind which interfaces, and thus it could automagically deduce all anti-spoofing rules. And when forging the rulebase, the administrator wouldn't have to bother on which interfaces to put various rules, or where to find them again, because there'd only be one rulebase, deprived of anything called "interfaces". (S)he'd only have to bother which networks (or hosts) are allowed to connect to which other networks (or hosts). =========== (the end) ============ --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
