You're not thinking this problem out nearly well enough. A master rule
set, especially for those of us with more complex networks would be
unmanageable. Right now, I have a 3 NIC firewall configuration handling
over 65 publicly addressable machines, and when you factor in VPN
interfaces, that list of rules alone is pretty beefy. In the near
future, we'll be scaling up to an even more complex environment. Having
rules per-interface gives me a very easy and efficient way to manage my
network. Trying to troubleshoot an issue against a master rules list
would be a nightmare.
Also, just as a general rule of etiquette, if you have an idea involving
a group of people heavily re-writing something they've been working on
for years, it's a good idea to have a very solidly thought out
alternative idea. Half-baked, sketchily detailed ideas that you
champion after demanding that the developers defend their design to you,
are likely to be looked darkly upon. Just a thought for you to consider
for the future.
Molle Bestefich wrote:
Only I think that having a rulebase per interface just for this is
overengineering things, because it makes all other rule work (besides
antispoofing) needlessly complicated.
I'd like.....
===== (and the story begins) =====
My firewall should have a notion of network segments.
Network segments can be many things, but here it means an IP address
and a netmask.
We'll call those, say, a "network definition", and when we need to be
short, a "network".
My firewall would have one pre-defined network called "External network".
That network would per definition contain all IP addresses that are
not in any of the other network definitions.
In the GUI of my firewall, I would be able to assign to each interface
a number of networks. (Details are sketchy - perhaps I can choose
whether to also assign an IP in that network to the firewall, perhaps
it's mandatory, perhaps the IP is an integral part of the network
definition. I don't care..)
One particular interface, the WAN interface, should automatically have
added one network, namely the "External network".
And voila, the firewall would know which networks live behind which
interfaces, and thus it could automagically deduce all anti-spoofing
rules.
And when forging the rulebase, the administrator wouldn't have to
bother on which interfaces to put various rules, or where to find them
again, because there'd only be one rulebase, deprived of anything
called "interfaces". (S)he'd only have to bother which networks (or
hosts) are allowed to connect to which other networks (or hosts).
=========== (the end) ============
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
