[ previous ] [ next ] [ threads ]
 From:  "Chris Dickens" <chris at object dash zone dot net>
 To:  <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  RE: [m0n0wall-dev] interface security levels
 Date:  Wed, 29 Sep 2004 21:24:59 -0400

I also remember something similar to this back when I used to use Linux for
my firewall solution.  I believe the program was called packetflow or
something like that, it took an XML file with various trust levels, IP
settings, etc. and would automatically generate a shell script to populate
the NAT and filter tables.  If someone feels like implementing something
like this on a rainy day, I'm sure it would be a welcome addition to m0n0.
The thing though is that m0n0 really is so easy to configure anyway that I
personally think this would just be a great quick-setup feature that might
only be used during initial setup, or am I missing the overall reason for
the feature?


-----Original Message-----
From: Chris Buechler [mailto:cbuechler at gmail dot com] 
Sent: Wednesday, September 29, 2004 6:48 PM
To: m0n0wall dash dev at lists dot m0n0 dot ch
Subject: [m0n0wall-dev] interface security levels

Suggestion - it'd be nice to be able to define a security level for each
interface, to make it easier for people that want to run multiple LAN's,
configure DMZ's, etc.  Basically make it more difficult for people to screw
up their firewall rules (or easier to get them right).

For example, you could define the security level of an interface as 0-99,
defining how "trusted" a particular network is.  0 being least trusted, 99
being most trusted.  By default, interfaces with a higher security level can
talk to interfaces with a lower security level, but not vice versa.  If you
define the same level on two interfaces, traffic can flow between them by
default with no firewall rule additions necessary (like for multiple LAN

This is sort of how a Cisco PIX works, except you can't define two (or
more) interfaces at the same security level.

Hopefully that makes sense.

Or maybe define a "mode" for each interface, with WAN, LAN, or DMZ being
choices.  DMZ can't talk to LAN by default, LAN's can talk amongst each
other by default.  That's not as flexible and powerful as defining levels


To unsubscribe, e-mail: m0n0wall dash dev dash unsubscribe at lists dot m0n0 dot ch
For additional commands, e-mail: m0n0wall dash dev dash help at lists dot m0n0 dot ch