Wow, I go off and have a few beers and this turns into a 25 message discussion!
On 6/1/06, Randy B <[EMAIL PROTECTED]> wrote:
> I find it irrelevant to the discussion what others are doing, though :-). Simply that this concept is alien to me, and I'm trying to grasp context - the more outside examples the better. It seems that what you're looking for is somewhat similar to some of the higher-level "shiny" bits on Cisco's PDM - just assign the rules and it'll figure out where they go.
PIX, which is what PDM is made for (just try using PDM on a FWSM, I dare ya!) is really only a two interface firewall. Cisco's engineers do NOT recommend the PDM interface if you have even a slightly complex interface (and it certainly doesn't cover the full PIX feature set).
> It's all added complexity to me - the interface information is > implicit in the network or host that's already defined for each rule > anyway. Having to stuff specific rules "into specific interfaces" is > just completely superfluous, it seems to me. So it's the presentation that gets you - you could know that under the covers it's interface-based (and will always be, since networks are interface-focused), and would probably want a hook that you could set an explicit interface if need be, but otherwise don't want to be bothered with it. DWIM-ery (Do What I Mean) - a constant companion to our friend from mac.com. I'd be willing to bet that this discussion mirrors the GUI/CLI zealots' lines. I fall in the latter group, but find UI discussions fascinating. Not that it's what you're asking for, but at one point when I put a rule into the wrong interface on pfSense (been a long time ago), it actually set it on the right one.
oops damn those bugs ;-P Actually, we're kind of hoping true policy routing makes it into Open and gets ported to Free which makes this whole conversation pointless as interface specific rules will be required. --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]