[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  interface security levels
 Date:  Wed, 29 Sep 2004 18:48:21 -0400
Suggestion - it'd be nice to be able to define a security level for
each interface, to make it easier for people that want to run multiple
LAN's, configure DMZ's, etc.  Basically make it more difficult for
people to screw up their firewall rules (or easier to get them right).

For example, you could define the security level of an interface as
0-99, defining how "trusted" a particular network is.  0 being least
trusted, 99 being most trusted.  By default, interfaces with a higher
security level can talk to interfaces with a lower security level, but
not vice versa.  If you define the same level on two interfaces,
traffic can flow between them by default with no firewall rule
additions necessary (like for multiple LAN configs).

This is sort of how a Cisco PIX works, except you can't define two (or
more) interfaces at the same security level.

Hopefully that makes sense.

Or maybe define a "mode" for each interface, with WAN, LAN, or DMZ
being choices.  DMZ can't talk to LAN by default, LAN's can talk
amongst each other by default.  That's not as flexible and powerful as
defining levels though.