[ previous ] [ next ] [ threads ]
 
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  Chris Buechler <cbuechler at gmail dot com>
 Cc:  Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
 Date:  Fri, 08 Feb 2008 09:22:42 +0100
Chris Buechler ha scritto:
> Wow this has turned into one hell of a bike shed.
>
> I don't see a problem with implementing additional methods of
> filtering. One that allows enabling in and out rules, and one that
> allows configuring one single ruleset applied independent of
> interfaces would be ideal. Different methods of filtering work better
> in certain environments, and/or better suit some people's personal
> preferences. The default would have to be retained as is for backwards
> compatibility, and because it's easier for the typical user to grasp
> and harder for them to shoot themselves in the foot.
>
> Doing this in pfSense using 3 modes as I described above (default,
> in/out, and single ruleset) has been discussed, but no specific plans
> for implementing it at this time (patches accepted). I like the idea
> of giving people options, but not changing the defaults.
>   

I completely agree... Default mode should remain the same.

    * Optional method two would substitute "inbound" rules with
      "outbound" on interface rules (only on interfaces, keeping all the
      remaining base rules as now, with same checks on inbound and
      outbound).
    * Optional method three would substitute interface rules with
      "object" rules, where each object can be a service, an interface,
      an address, with additional checks applied for that object (each
      object would be an ipfilter group). Of course, all general
      monowall rules would remain as now.

It would be great, and it would semplify a lot managing of everything.

Tonino

> -Chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch
>
>
>   


-- 
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati 
   http://www.interazioni.it      tonix at interazioni dot it           
------------------------------------------------------------