[ previous ] [ next ] [ threads ]
 
 From:  "Jurgen van Vliet" <jurgenvv at xs4all dot nl>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Thu, 7 Feb 2008 19:12:37 +0100
Maybe a sidestep,but what I really loved and still love is the linux
shorewall method.
Its essentially a wrapper around iptables. 
You create a zone for each interface, or multiple zones per interface for
each subnet, and the fw itself is a zone
First you create policies, like LAN to WAN ACCEPT, LAN to DMZ ACCEPT, WAN to
LAN DROP, WAN to DMZ DROP, etc
Then you can make exception on the policy with a ruleset, like WAN to LAN
accept smtp  etc.
Very admin friendly and flexible.

Just my 2 cents :)

Regard, Jurgen

-----Oorspronkelijk bericht-----
Van: Lee Sharp [mailto:leesharp at hal dash pc dot org] 
Verzonden: donderdag 7 februari 2008 18:34
Aan: m0n0wall dash dev at lists dot m0n0 dot ch
Onderwerp: Re: [m0n0wall-dev] Redesigning m0n0wall filter rules

Daniele Guazzoni wrote:

> And beside all discussions, inbound filtering will also protect the
> firewall itself (webinterface, services, ...)

This is one of the most important statements in this discussion.  I have 
been following this discussion, but I have yet to see any real benefit 
to what Antonio is proposing, and I do see some real problems with it.

How about a helper script?  For example, the NAT page does not actually 
create firewall rules, but if you check the box a script will run to 
make the appropriate rules.  However, it is not always efficient, or in 
some cases correct.  (I have seen it put an allow after a block...) 
Antonio could also make a script run from a helper page that would 
create the correct inbound rules for a virtual outbound rule.  This 
would be less work, and would leave the fundamental architecture of 
m0n0wall intact.  Antonio, if you really want to change the fundamental 
architecture you may be on your own, as I have not seen many developers 
or contributers in support of what you want.  However, a good proof of 
concept demo could change some minds.

			Lee

---------------------------------------------------------------------
To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch