Hi Molle! Am Donnerstag, den 01.06.2006, 23:46 +0200 schrieb Molle Bestefich: > It's all added complexity to me - the interface information is > implicit in the network or host that's already defined for each rule > anyway. Having to stuff specific rules "into specific interfaces" is > just completely superfluous, it seems to me.
No it definitly isn't. Just take a look on an example: from to proto src port dst port 0.0.0.0/0 192.18.0.2 tcp >1023 80 Ok, seems simple, but for three interfaces, this ''simple'' rule would expand to: iface from to proto src port dst port LAN 0.0.0.0/0 192.18.0.2 tcp >1023 80 WAN 0.0.0.0/0 192.18.0.2 tcp >1023 80 DMZ 0.0.0.0/0 192.18.0.2 tcp >1023 80 Ok, now assume, I want only the second rule to match. In the first scenario, you would have to type: (LAN: 192.18.0.0/24, DMZ: 62.99.0.0/24) from to proto src port dst port !192.18.0.0/24 192.18.0.2 tcp >1023 80 !62.99.0.0/24 192.18.0.2 tcp >1023 80 0.0.0.0/0 192.18.0.2 tcp >1023 80 Do you think, that this is really easier than just typing: iface from to proto src port dst port WAN 0.0.0.0/0 192.18.0.2 tcp >1023 80 And as ChrisB stated before: It's just like a matter of personal preference. I can see no cause, why m0n0wall shouldn't use per interface rulesets, but feel free to submit a patch thtt allows both: per interface rulesets and ''global'' rulesets, just like fwbuilder does. > > What's this "ISA server", and what is it similar to? http://en.wikipedia.org/wiki/Microsoft_Internet_Security_and_Acceleration_Server > I find it irrelevant to the discussion what others are doing, though :-). Did we started that discussion? BR, PIT --------------------------------------------------------------------------- copyleft(c) by | ... Linux's capacity to talk via any medium Peter Allgeyer | _-_ except smoke signals. -- Dr. Greg Wettstein, | 0(o_o)0 Roger Maris Cancer Center ---------------oOO--(_)--OOo----------------------------------------------- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
