[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Fri, 08 Feb 2008 01:25:22 +0100
Antonio,

If you work with aliases (for services and networks) it will make (almost *) no difference if you
filter inbound or outbound.

* Almost means that with outbound you have no implicit protection of you firewall services.


Tonix (Antonio Nati) wrote:
> than you may see that
> 
>    * ONE  outbound rule written in the server VLAN eliminates the need
>      for other 11 rules which should be written in each of the other
>      interfaces.
This implies that your interfaces allows any in...
>    * ONE outbound rule written in the Internet VLAN solves the same problem
Same as above...
>    * TWO deny inbound and outbound rules on Wi-Fi eliminates ANY
>      security issues about Wi-Fi
> 
> With a few inbound and outbound rules you solve any problem. All in one 
> page, for a complex situation.
> Try to make the same only with inbounds rules!!!!!!
That's what I do the whole day, dude ! 
(in an environment with 23 firewalls, 320 servers, 600 users in 12 countries, VoIP, QoS, IDS/IPS,
VPN, ...)

> I hope monowall is ready to make the step to be a more complete firewall.
This is the only sentence with a real sense behind. Any sensed proposal ?

It seems to me that you don't care too much about security as you allow anything in...
My proposal to you:
Place a router with all your VLAN behind the firewall !
You will have only two interfaces to care about and so there will be no matter of swapping the
filter logic.

However, we could continue this discussion for ages and you will not be able to convince me about
outbound filtering...

BTW: puoi anche provare a convincermi in italiano se ti sembra piu' facile...

Daniele


-- 
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.