Re: [pfSense Support] Re: [m0n0wall] Re: per-interface rulebases: why?

[Molle Bestefich]

Peter Allgeyer wrote:

> It's all added complexity to me - the interface information is
> implicit in the network or host that's already defined for each rule
> anyway.  Having to stuff specific rules "into specific interfaces" is
> just completely superfluous, it seems to me.

No it definitly isn't. Just take a look on an example:

from         to           proto   src port    dst port
0.0.0.0/0    192.18.0.2   tcp     >1023       80

Ok, seems simple, but for three interfaces, this ''simple'' rule would
expand to:

"Would" in what context?

Who says it would expand?

You must be thinking of a different solution than I am.

iface   from         to           proto     src port    dst port
LAN     0.0.0.0/0    192.18.0.2   tcp       >1023       80
WAN     0.0.0.0/0    192.18.0.2   tcp       >1023       80
DMZ     0.0.0.0/0    192.18.0.2   tcp       >1023       80

Ok, now assume, I want only the second rule to match. In the first
scenario, you would have to type:
(LAN: 192.18.0.0/24, DMZ: 62.99.0.0/24)

from            to           proto    src port    dst port
!192.18.0.0/24  192.18.0.2   tcp      >1023       80
!62.99.0.0/24   192.18.0.2   tcp      >1023       80
 0.0.0.0/0      192.18.0.2   tcp      >1023       80

Do you think, that this is really easier than just typing:

No.  I think you are thinking in the wrong direction if you want rules
from one rulebase to magically expand into four rulebases.  That's not
something I've ever wanted, I'm unsure how you ended down that train
of thought.

It's just like a matter of personal preference.

Until proven otherwise, I'll remain convinced that multiple rulebases
makes things more complicated than they should be.

I've previously accepted that grouping rules is a nice feature, but
I'm not convinced why grouping has to be done per interface - as far
as I can see, doing that comes with a lot of nasty side effects.

feel free to submit a patch thtt allows both

I don't feel that too many options affecting the GUI's behaviour is a
good thing.
I like to think of "what's the simplest overall solution for the GUI"
and aim for that.
But maybe if it's well thought-out, a "keep it simple" option that
both enabled a single rulebase and also got rid of a couple of other
idiosyncrasies would be a positive thing :-).  I'll give it some
thought.

---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]