upport@pfsense.com
Betreff: Re: [pfSense Support] Re: per-interface rulebases: why?
my response to the m0n0wall list (and let's keep this on one list or the other
from now on):
Can you name a firewall vendor that doesn't do per-interface rulesets?
(I'm sure there are some, but virtually
Any kernel experts out there?
Whoa, waitaminit - you're telling us you expect this to be implemented
at the kernel level? As in trying to change the way the most trusted,
respected, and audited group of networking-centric OSes views and
handles networks? The same OS family that's regarded as h
Scott Ullrich wrote:
You know, while this entire dusussion has been raging (for no good
reason) you could have already implemented this behavior and been
happy.
Yes, well, my Nokia IP boxes still cannot run FreeBSD 5.x/6.x and thus pfSense.
No response to the PR, and I'm not sure where to take
On 6/2/06, Molle Bestefich <[EMAIL PROTECTED]> wrote:
Bill Marquette wrote:
> > > Accounting uses a vendor who also has a T1 into the building. This T is
> > > bridged [sigh] for reasons I won't go into. They come in on their own
> > > interface.
> >
> > Anything wrong with:
> >
> > src
Bill Marquette wrote:
> > Accounting uses a vendor who also has a T1 into the building. This T is
> > bridged [sigh] for reasons I won't go into. They come in on their own
> > interface.
>
> Anything wrong with:
>
> src dst service action
> vendor2-net accounting-vlan
On 6/2/06, Molle Bestefich <[EMAIL PROTECTED]> wrote:
Eric, thanks for providing use cases!
Sadly, I think I can dismiss them as requiring per-interface rulebases.
At the least, I'll try. You be the judge :-).
Eric W. Bates wrote:
> A small IT company. Has a DMZ for their web/mail etc. Has
Eric, thanks for providing use cases!
Sadly, I think I can dismiss them as requiring per-interface rulebases.
At the least, I'll try. You be the judge :-).
Eric W. Bates wrote:
A small IT company. Has a DMZ for their web/mail etc. Has a staff net
for their own workstations. Has a test net
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
In the case where there are only 2 interfaces in use on a firewall, you
may be correct that per interface rules are pointless.
However, most of my real case situations involve 3+ interfaces.
test case:
A small IT company. Has a DMZ for their web/mai
Like I just said on the m0n0wall list, what this really comes down to is
a matter of personal preference. Cisco does per-interface, Check Point
and MS ISA do one long unmanageable ruleset. If you don't like
per-interface, go use Check Point or MS ISA. Obviously the developers
here prefer per
Okay, I got it. Since I think pf Sense rocks and I have experience with 4 or 5
firewall types, I will spend 5 min/day away from family and work to spec out
improvements to pfSense. Real formal stuff that we can all vet. I can draw from
experience with:
Checkpoint FW1 4.1 & NG
Cisco PIX 515
IP C
Gary Buckmaster wrote:
A master rule set, especially for those of us with more complex networks
would be unmanageable. Right now, I have a 3 NIC firewall configuration
handling over 65 publicly addressable machines, and when you factor in
VPN interfaces, that list of rules alone is pretty beefy.
my response to the m0n0wall list (and let's keep this on one list or the
other from now on):
Can you name a firewall vendor that doesn't do per-interface rulesets?
(I'm sure there are some, but virtually all do per-interface) Or one
good reason it shouldn't be this way?
The vast majority of th
You're not thinking this problem out nearly well enough. A master rule
set, especially for those of us with more complex networks would be
unmanageable. Right now, I have a 3 NIC firewall configuration handling
over 65 publicly addressable machines, and when you factor in VPN
interfaces, that
Wait! There's more.
Ok, this is truly mostly a joke, but anyway might help visualize the idea :-).
== (moreover)
There should be a fancy button that produces a SVG showing the
firewall in the middle, the interfaces sticking out from it, and all
the networks as fluffy white
Bill Marquette wrote:
Anti-spoofing is important and a sufficient use case.
It certainly is.
Only I think that having a rulebase per interface just for this is
overengineering things, because it makes all other rule work (besides
antispoofing) needlessly complicated.
Scott Ullrich wrote:
wh
On 6/1/06, Molle Bestefich <[EMAIL PROTECTED]> wrote:
Scott Ullrich wrote:
Can't see how that translates to "has a real use cases besides antispoofing".
Instead of arguing of why and how evolution of the m0n0wall -> pfSense
ruleset has come to be why not tell us how you envision it should
work.
Anti-spoofing is important and a sufficient use case. Please try to
convince us why we're wrong. We're not going to spend any time trying
to convince you why we're right.
--Bill
On 6/1/06, Molle Bestefich <[EMAIL PROTECTED]> wrote:
Scott Ullrich wrote:
> I agree with Bill.
Covered that one ;
Scott Ullrich wrote:
I agree with Bill.
Covered that one ;-).
Not to mention we inherited this behavior from m0n0wall.
Can't see how that translates to "has a real use cases besides antispoofing".
-
To unsubscribe, e-mail:
Bill Marquette wrote:
I'm not sure I see that as a hassle. I'd be more surprised when a
rule matched on an interface I wasn't expecting it to match on.
I asked for use cases, that's not a use case.
You're just saying that you expect the current layout, but the reasons
for that could be anythi
19 matches
Mail list logo
