-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In the case where there are only 2 interfaces in use on a firewall, you may be correct that per interface rules are pointless.
However, most of my real case situations involve 3+ interfaces. test case: A small IT company. Has a DMZ for their web/mail etc. Has a staff net for their own workstations. Has a test net where they hook up customer machines. Obviously the customer machines are untrusted. Riddled with viruses. Etc. So while you need to allow the port 80 out to the INet so they can update Norton, et al; you do not want to allow port 80 access to their DMZ. Etc. Don't think you can do that without per interface rulesets. 2nd test case: Small local hospital. Lots of service vendors. One vendor has their own T1 and firewall directly into the Radiology department. The radiology department is in multiple spaces thru-out the building (old hospital -- no money); so they are on a VLAN to allow them to be "contiguous". The Radiology vendor needs to be blocked from the rest of the building. Accounting department. Yet another VLAN. HIPAA restrictions are such that the accounting department has no business on the radiology lan. Accounting uses a vendor who also has a T1 into the building. This T is bridged [sigh] for reasons I won't go into. They come in on their own interface. Individual physicians have discrete office space they rent from the hospital. They have INet access; but need to be restricted from most of the hospital's servers. etc. etc. ad nauseum. No way you could do that without per interface rules. Bill Marquette wrote: > Anti-spoofing is important and a sufficient use case. Please try to > convince us why we're wrong. We're not going to spend any time trying > to convince you why we're right. > > --Bill > > On 6/1/06, Molle Bestefich <[EMAIL PROTECTED]> wrote: >> Scott Ullrich wrote: >> > I agree with Bill. >> >> Covered that one ;-). >> >> > Not to mention we inherited this behavior from m0n0wall. >> >> Can't see how that translates to "has a real use cases besides >> antispoofing". >> >> --------------------------------------------------------------------- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> >> > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > - -- Eric W. Bates [EMAIL PROTECTED] -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFEgGZPD1roJTQ4LlERAhYJAJ4uo7lMkCEUL4t/0UHqDYNf00AAjgCgn2lh Pa9UAZJy12EUmodq+NoDIcE= =6Ypf -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
