David - Check out http://www.howstuffworks.com/firewall1.htm. Specifically read the "What it Does" section.
Thanks. javatexan On 7/23/07, David L. Strout <[EMAIL PROTECTED]> wrote:
Your point is well taken, but I respectfully and categorically disagree. An interface NOT listening for a service is a far better use of resources than inspecting and comparing packets to a filter rule. Just think about it for a minute and it will become blatantly apparent. In firewalls employing packet filtering (as is the case w/ pfSense) where you have to inspect every packet and compare against policies/filters .... the less you HAVE to inspect the better use of resources you'll achieve. Understandably, this is a small amount of resource for one policy on each interface, but none the less a wasted resource, especially if you can achieve the same affect through package configuration, daemon listening isolation and interface-2-daemon association. ----- Original Message ----- *Subject: *Re: AW: [pfSense Support] OpenVPN ?? *From: *RB <[EMAIL PROTECTED]> *To: [EMAIL PROTECTED] *Date: *23-07-2007 11:26 am Your intent may be better served by allowing it to listen on all, but create blocking rules in the [presumably] static internal interfaces. Yes, you must add a new rule every time you add another interface, but that's still less administration than the alternative. It's not as elegant as having each individual application decide what it listens to, but then again a separately controlled and audited firewall really is more appropriate and secure. You can set interface-based rules, which should satisfy your need there. RB --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
