Re: [m0n0wall-dev] Redesigning m0n0wall filter rules

From:	"Tonix (Antonio Nati)" <tonix at interazioni dot it>
To:	Mono Dev List <m0n0wall dash dev at lists dot m0n0 dot ch>
Subject:	Re: [m0n0wall-dev] Redesigning m0n0wall filter rules
Date:	Fri, 08 Feb 2008 09:22:57 +0100

Daniele Guazzoni ha scritto:
> Antonio,
>
> If you work with aliases (for services and networks) it will make 
> (almost *) no difference if you filter inbound or outbound.
>
> * Almost means that with outbound you have no implicit protection of 
> you firewall services.
>
>
> [snip ... various]
> It seems to me that you don't care too much about security as you 
> allow anything in...

I never told monowall must delete all rules "embedded and hidden" for
protecting from bad addresses, hacks and son on.

I just told that group rules (100, 200, 300, etc,) now working only for
inbound connection , could be enabled in the opposite way (outbound).
I don't see why we should delete all the surrounding code.

> My proposal to you:
> Place a router with all your VLAN behind the firewall !
> You will have only two interfaces to care about and so there will be 
> no matter of swapping the filter logic.
>

No, please! Another firewall cascading, and if I have the same problem
again, another firewall...

Ciao,

Tonino
> However, we could continue this discussion for ages and you will not 
> be able to convince me about outbound filtering...
>
> BTW: puoi anche provare a convincermi in italiano se ti sembra piu' 
> facile...
>
> Daniele
-- 
------------------------------------------------------------
        Inter@zioni            Interazioni di Antonio Nati
   http://www.interazioni.it      tonix at interazioni dot it
------------------------------------------------------------