Okay, I got it. Since I think pf Sense rocks and I have experience with 4 or 5 firewall types, I will spend 5 min/day away from family and work to spec out improvements to pfSense. Real formal stuff that we can all vet. I can draw from experience with:
Checkpoint FW1 4.1 & NG Cisco PIX 515 IP Chains PF WatchGuard If anyone wants to volunteer to review my contributions, let me know. Park On Thursday, June 01, 2006, at 03:36PM, Chris Buechler <[EMAIL PROTECTED]> wrote: >my response to the m0n0wall list (and let's keep this on one list or the >other from now on): > >Can you name a firewall vendor that doesn't do per-interface rulesets? > (I'm sure there are some, but virtually all do per-interface) Or one >good reason it shouldn't be this way? > >The vast majority of the time, it makes rulesets much cleaner and >easier to work with, and easier to read and comprehend. For those >reasons, it's more secure (more difficult to screw something up). If >you only have two interfaces, this might not be a big deal, but throw >in 6 interfaces or so and a complex ruleset to go along with it, and >the per-interface method makes *much* more sense. > > > >Molle Bestefich wrote: >> I'd like..... >> > >What you're describing is essentially Microsoft ISA Server. If you want >that, use it. I'd never use the type of ruleset ISA uses in any >remotely complex firewall setup. I would never, ever replace my bigger >firewalls with ISA because the ruleset on the firewalls would be >absolutely nuts with ISA's method. I use ISA as a proxy and the >relatively basic ruleset I have, of about 25 rules, is ugly to manage. >If I had hundreds of rules with a half dozen interfaces, I would >absolutely lose my mind trying to administer one long, completely >illegible ruleset. You may think your idea is good in theory, but if >you'd ever try to use something like that with any moderately complex >setup I think you'd quickly change your mind. > > >> And voila, the firewall would know which networks live behind which >> interfaces, and thus it could automagically deduce all anti-spoofing >> rules. > >It can already do that, it's called a routing table. > > > >--------------------------------------------------------------------- >To unsubscribe, e-mail: [EMAIL PROTECTED] >For additional commands, e-mail: [EMAIL PROTECTED] > > > Park Foreman, CISSP, ISSAP [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
