Yepp ! I agree with the ISA thing ! At work we also habe a ISA appliance but only for caching proxy and reverse proxying and even the rules to permit AD auth and so makes you mad !
The way pfSense makes it with rulesets is the way EVERY firewall I've seen makes it and for me it's the only one logical way... I guess it does not make much sense to convert to the ISA way because when you think about ca. 500 rules you have n a large company you'll get mad with ISA-style... It's like GPOs in W2K3 then... You have to look at the resultant set of policies to know what is going on because when there are so many rules you'll never see on the first view, what's up... Keep on going with the per-if-rules, guys ;-) Martin -----Ursprüngliche Nachricht----- Von: Chris Buechler [mailto:[EMAIL PROTECTED] Gesendet: Donnerstag, 1. Juni 2006 21:35 An: support@pfsense.com Betreff: Re: [pfSense Support] Re: per-interface rulebases: why? my response to the m0n0wall list (and let's keep this on one list or the other from now on): Can you name a firewall vendor that doesn't do per-interface rulesets? (I'm sure there are some, but virtually all do per-interface) Or one good reason it shouldn't be this way? The vast majority of the time, it makes rulesets much cleaner and easier to work with, and easier to read and comprehend. For those reasons, it's more secure (more difficult to screw something up). If you only have two interfaces, this might not be a big deal, but throw in 6 interfaces or so and a complex ruleset to go along with it, and the per-interface method makes *much* more sense. Molle Bestefich wrote: > I'd like..... > What you're describing is essentially Microsoft ISA Server. If you want that, use it. I'd never use the type of ruleset ISA uses in any remotely complex firewall setup. I would never, ever replace my bigger firewalls with ISA because the ruleset on the firewalls would be absolutely nuts with ISA's method. I use ISA as a proxy and the relatively basic ruleset I have, of about 25 rules, is ugly to manage. If I had hundreds of rules with a half dozen interfaces, I would absolutely lose my mind trying to administer one long, completely illegible ruleset. You may think your idea is good in theory, but if you'd ever try to use something like that with any moderately complex setup I think you'd quickly change your mind. > And voila, the firewall would know which networks live behind which > interfaces, and thus it could automagically deduce all anti-spoofing > rules. It can already do that, it's called a routing table. --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
