Gary Buckmaster wrote:
A master rule set, especially for those of us with more complex networks would be unmanageable. Right now, I have a 3 NIC firewall configuration handling over 65 publicly addressable machines, and when you factor in VPN interfaces, that list of rules alone is pretty beefy. In the near future, we'll be scaling up to an even more complex environment. Having rules per-interface gives me a very easy and efficient way to manage my network. Trying to troubleshoot an issue against a master rules list would be a nightmare.
Let's say that the inherent simplicity of one rulebase vs. many is something that we want, just to give the idea a little more lifetime before shooting it down like that. I think there are other solutions to the "too many rules" complexity you're outlining. For example, you could allow the user to group consecutive rules into a group, perhaps give the group a descriptive name, and allow a javascript to show/hide it by a click on the '+/-' button. Best of both worlds - you can group rules exactly as you want, not just per interface, and every other firewall administrator in the world doesn't have to think interfaces into their rulebases when the interface is in most cases completely irrelevant with the host or network given. Does that fix your problem? --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
