Your point is well taken, but I respectfully and categorically
disagree.
An interface NOT listening for a service is a far better use of
resources than inspecting and comparing packets to a filter rule.
Just think about it for a minute and it will become blatantly
apparent.
In firewalls employing packet filtering (as is the case w/ pfSense)
where you have to inspect every packet and compare against
policies/filters .... the less you HAVE to inspect the better use of
resources you'll achieve.
Understandably, this is a small amount of resource for one policy on
each interface, but none the less a wasted resource, especially if you
can achieve the same affect through package configuration, daemon
listening isolation and interface-2-daemon association.
----- Original Message -----
Subject: Re: AW: [pfSense Support] OpenVPN ??
From: RB
To: [email protected]
Date: 23-07-2007 11:26 am
Your intent may be better served by allowing it to listen on all,
but
create blocking rules in the [presumably] static internal
interfaces.
Yes, you must add a new rule every time you add another interface,
but
that's still less administration than the alternative. It's not as
elegant as having each individual application decide what it listens
to, but then again a separately controlled and audited firewall
really
is more appropriate and secure.
You can set interface-based rules, which should satisfy your need
there.
RB
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
