Re: [m0n0wall-dev] Redesigning m0n0wall filter rules

From:	"Tonix (Antonio Nati)" <tonix at interazioni dot it>
To:	Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
Date:	Thu, 07 Feb 2008 19:24:19 +0100
If monowall people is so closely bind to the WAN, LAN, OPT1 model, there 
is very few to discuss. Then it's time to start a m1n1 project, with 
wider views.

But if you consider that this firewall is very used because of the 
speed, and because of the speed is used in a lot of big configurations, 
where people has:

    * Direction VLAN
    * Marketing VLAN
    * IT VLAN
    * Meetings VLAN
    * Accounting VLAN
    * Wi-Fi VLAN
    * Reception VLAN
    * Remote Office 1 Exchange VLAN (Radio connection)
    * Remote Office 2 Exchange VLAN (HDSL connection)
    * VOIP VLAN
    * Server VLAN
    * Internet VLAN


than you may see that

    * ONE  outbound rule written in the server VLAN eliminates the need
      for other 11 rules which should be written in each of the other
      interfaces.
    * ONE outbound rule written in the Internet VLAN solves the same problem
    * TWO deny inbound and outbound rules on Wi-Fi eliminates ANY
      security issues about Wi-Fi

With a few inbound and outbound rules you solve any problem. All in one 
page, for a complex situation.
Try to make the same only with inbounds rules!!!!!!

I hope monowall is ready to make the step to be a more complete firewall.

Tonino

Lee Sharp ha scritto:
> Daniele Guazzoni wrote:
>
>> And beside all discussions, inbound filtering will also protect the
>> firewall itself (webinterface, services, ...)
>
> This is one of the most important statements in this discussion.  I 
> have been following this discussion, but I have yet to see any real 
> benefit to what Antonio is proposing, and I do see some real problems 
> with it.
>
> How about a helper script?  For example, the NAT page does not 
> actually create firewall rules, but if you check the box a script will 
> run to make the appropriate rules.  However, it is not always 
> efficient, or in some cases correct.  (I have seen it put an allow 
> after a block...) Antonio could also make a script run from a helper 
> page that would create the correct inbound rules for a virtual 
> outbound rule.  This would be less work, and would leave the 
> fundamental architecture of m0n0wall intact.  Antonio, if you really 
> want to change the fundamental architecture you may be on your own, as 
> I have not seen many developers or contributers in support of what you 
> want.  However, a good proof of concept demo could change some minds.
>
>             Lee
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>


-- 
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni dot it           
------------------------------------------------------------