Re: [m0n0wall-dev] Redesigning m0n0wall filter rules

From:	Lee Sharp <leesharp at hal dash pc dot org>
To:	m0n0wall dash dev at lists dot m0n0 dot ch
Subject:	Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
Date:	Thu, 07 Feb 2008 11:34:25 -0600

Daniele Guazzoni wrote:

> And beside all discussions, inbound filtering will also protect the
> firewall itself (webinterface, services, ...)

This is one of the most important statements in this discussion.  I have 
been following this discussion, but I have yet to see any real benefit 
to what Antonio is proposing, and I do see some real problems with it.

How about a helper script?  For example, the NAT page does not actually 
create firewall rules, but if you check the box a script will run to 
make the appropriate rules.  However, it is not always efficient, or in 
some cases correct.  (I have seen it put an allow after a block...) 
Antonio could also make a script run from a helper page that would 
create the correct inbound rules for a virtual outbound rule.  This 
would be less work, and would leave the fundamental architecture of 
m0n0wall intact.  Antonio, if you really want to change the fundamental 
architecture you may be on your own, as I have not seen many developers 
or contributers in support of what you want.  However, a good proof of 
concept demo could change some minds.

			Lee