AW: [pfSense Support] Re: per-interface rulebases: why?

[Fuchs, Martin]

Yepp !

I agree with the ISA thing !
At work we also habe a ISA appliance but only for caching proxy and reverse 
proxying and even the rules to permit AD auth and so makes you mad !

The way pfSense makes it with rulesets is the way EVERY firewall I've seen 
makes it and for me it's the only one logical way...

I guess it does not make much sense to convert to the ISA way because when you 
think about ca. 500 rules you have n a large company you'll get mad with 
ISA-style...

It's like GPOs in W2K3 then... You have to look at the resultant set of 
policies to know what is going on because when there are so many rules you'll 
never see on the first view, what's up...

Keep on going with the per-if-rules, guys ;-)

Martin 

-Ursprüngliche Nachricht-
Von: Chris Buechler [mailto:[EMAIL PROTECTED] 
Gesendet: Donnerstag, 1. Juni 2006 21:35
An: support@pfsense.com
Betreff: Re: [pfSense Support] Re: per-interface rulebases: why?

my response to the m0n0wall list (and let's keep this on one list or the other 
from now on):

Can you name a firewall vendor that doesn't do per-interface rulesets?
 (I'm sure there are some, but virtually all do per-interface)  Or one good 
reason it shouldn't be this way?

The vast majority of the time, it makes rulesets much cleaner and easier to 
work with, and easier to read and comprehend.  For those reasons, it's more 
secure (more difficult to screw something up).  If you only have two 
interfaces, this might not be a big deal, but throw in 6 interfaces or so and a 
complex ruleset to go along with it, and the per-interface method makes *much* 
more sense.



Molle Bestefich wrote:
 I'd like.


What you're describing is essentially Microsoft ISA Server.  If you want that, 
use it.  I'd never use the type of ruleset ISA uses in any remotely complex 
firewall setup.  I would never, ever replace my bigger firewalls with ISA 
because the ruleset on the firewalls would be absolutely nuts with ISA's 
method.  I use ISA as a proxy and the relatively basic ruleset I have, of about 
25 rules, is ugly to manage.  
If I had hundreds of rules with a half dozen interfaces, I would absolutely 
lose my mind trying to administer one long, completely illegible ruleset.  You 
may think your idea is good in theory, but if you'd ever try to use something 
like that with any moderately complex setup I think you'd quickly change your 
mind. 


 And voila, the firewall would know which networks live behind which 
 interfaces, and thus it could automagically deduce all anti-spoofing 
 rules.

It can already do that, it's called a routing table. 



-
To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: 
[EMAIL PROTECTED]



-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: [pfSense Support] Re: trap 12: page fault while in kernel mode

[Rolf Sommerhalder]

After stumbling across the very same problem when trying BETA4 on a
Nokia IP120, I am currently installing the development environment on
another i386 platform in order to attempt to build a patched
kernel/.iso that will boot on the Nokia hopefully without panicing, or
provide some some debug output (enable debug symbols, core dump, ddb,
etc.).

I will let the list know about the outcome once the update  build
completes in a few hours hopefully - I had to install the build
environment on an old P-II after I failed to get cvsup working
correctly from within a virtual machine under VMware from behind a firewall...

Regards,
Rolf

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

[pfSense Support] pptp server and passthrough status?

[Jonathan Woodard]

I was just wondering if there has been anymore work done this issue. I 
updated to the June 4th build and I am still having problems. I run a 
pptp server and connect to a pptp server remotely. I was initally able 
to connect but re-connecting will not work and hangs with the typical 
619 error. I understand this is a persistent problem that has been 
looked at for quite sometime and I noticed that in the blog that some 
pptp fix was committed. Forgive me if I sound pushy but I just wondered 
if anything else has been discovered on it.


Viva La PFsense, I love it!

Jonathan

-
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]