[ previous ] [ next ] [ threads ]
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  marijan <mjakara at xnet dot hr>
 Cc:  'Monowall Develop' <m0n0wall dash dev at lists dot m0n0 dot ch>
 Subject:  Re: FW: [m0n0wall-dev] why only 'IN' firewall rules?
 Date:  Fri, 01 Apr 2005 09:47:12 +0200
Hi all

marijan skrev:
> Ok, you pefere simplicity, but I prefere good firewall, not only 'IN'
> filtering...

I have worked with PIX:es for som years now and I do not use output filters.

> If check in FreeBSD ipf(8) filter utility, you will see that include
> command like this 'block out quick on xxx from xxx to xxx' and monowall
> use this utility to set filtering..
> Why 'ipf' utility have 'out' rule?  Who need this?.. Programers of 'ipf'
> was spend unnessary time for programing that. :)

I do not know how long time you have bin playing with routers and 
firewalls but I have done it for 15 years.
Statefull inspection is a rather new thing and before that time you had 
to use both input and output filters. Both ipf and ipfw is older than 
SPI and therefore they both have input and output filter functions.

In your example I can see the point of having output filters but the 
main problem is not the m0n0wall not having output filters. The problem
is that you use the Internet connected firewall as a core router in your 
network. Use a router as your core and solve your inhouse problems there.