On Thu, 31 Mar 2005 21:34:59 +0200, marijan <mjakara at xnet dot hr> wrote:
> In this case I must block all host (existing or not existing) on all
> interfaces (four).
No you don't. This is very easy. On each LAN interface permit all
only to the subnets of the other LAN's and permit the hosts you want
to get to the internet to get to anything and let everything else hit
the default deny. I don't see where out rules would be beneficial at
It's a lot cleaner to only maintain rules in one direction, and there
isn't any situation that can't be addressed this way.