[ previous ] [ next ] [ threads ]
 From:  Chris Buechler <cbuechler at gmail dot com>
 To:  m0n0wall dash dev at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall-dev] interface security levels
 Date:  Fri, 1 Oct 2004 00:52:12 -0400
On Wed, 29 Sep 2004 21:24:59 -0400, Chris Dickens <chris at object dash zone dot net> wrote:
> Chris:
> I also remember something similar to this back when I used to use Linux for
> my firewall solution.  I believe the program was called packetflow or
> something like that, it took an XML file with various trust levels, IP
> settings, etc. and would automatically generate a shell script to populate
> the NAT and filter tables.  If someone feels like implementing something
> like this on a rainy day, I'm sure it would be a welcome addition to m0n0.
> The thing though is that m0n0 really is so easy to configure anyway that I
> personally think this would just be a great quick-setup feature that might
> only be used during initial setup, or am I missing the overall reason for
> the feature?

It's more than just for setup.  It would require a redesign in the way
the system handles firewall rules.  Each interface could talk to
anything on any lower security level interface, but not to anything on
any higher level security interface, without some implicit firewall
rules allowing or denying appropriately.