my response to the m0n0wall list (and let's keep this on one list or the
other from now on):
Can you name a firewall vendor that doesn't do per-interface rulesets?
(I'm sure there are some, but virtually all do per-interface) Or one
good reason it shouldn't be this way?
The vast majority of the time, it makes rulesets much cleaner and
easier to work with, and easier to read and comprehend. For those
reasons, it's more secure (more difficult to screw something up). If
you only have two interfaces, this might not be a big deal, but throw
in 6 interfaces or so and a complex ruleset to go along with it, and
the per-interface method makes *much* more sense.
Molle Bestefich wrote:
I'd like.....
What you're describing is essentially Microsoft ISA Server. If you want
that, use it. I'd never use the type of ruleset ISA uses in any
remotely complex firewall setup. I would never, ever replace my bigger
firewalls with ISA because the ruleset on the firewalls would be
absolutely nuts with ISA's method. I use ISA as a proxy and the
relatively basic ruleset I have, of about 25 rules, is ugly to manage.
If I had hundreds of rules with a half dozen interfaces, I would
absolutely lose my mind trying to administer one long, completely
illegible ruleset. You may think your idea is good in theory, but if
you'd ever try to use something like that with any moderately complex
setup I think you'd quickly change your mind.
And voila, the firewall would know which networks live behind which
interfaces, and thus it could automagically deduce all anti-spoofing
rules.
It can already do that, it's called a routing table.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
