[ previous ] [ next ] [ threads ]
 From:  sai <sonicsai at gmail dot com>
 To:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 Cc:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Wed, 6 Feb 2008 14:32:31 +0500
Security and simplicity go together. If your ruleset is very complex,
then you will have difficulties in managing it and debugging it.

If you have incoming rules as well as outgoing rules, the ruleset will
become very complex (and we dont know what the impact on performance
will be).
The current system means that it is easy to understand the ruleset
applied to any interface. It may be administratively problematic with
lots of typing and duplication but from a security point of view it is


On 2/5/08, Tonix (Antonio Nati) <tonix at interazioni dot it> wrote:
> We are thinking how to extend/improve m0n0wall rules architecture.
> After an intense work done with rules, we finally realize we need
> something actual m0n0wall architecture cannot satisfy.
> Given our environment, with dozen of reserved VLAN and a few of servers
> VLAN, actual m0n0wall behaviour of applying rules to "incoming"
> interfaces forces us to apply same rules to dozens of VLAN, while rules
> eventually applied to "outgoing" interfaces could be a lot more easy to
> manage.
> Planning to put hands in code, we are thinking to add a system flag
> (enable rules on output interfaces) and change rules to outgoing
> interfaces if that flag is enabled.
> Obviouslly it would be better to have rules working both on "incoming
> interfaces" and "outgoing interfaces", but it looks not easy to make
> with ipfilter.
> Thanks for any comment/hint.
> Tonino
> --
> ------------------------------------------------------------
>         Inter@zioni            Interazioni di Antonio Nati
>    http://www.interazioni.it      tonix at interazioni dot it
> ------------------------------------------------------------
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch