On 09/05/06, Russell Reader <melbourne at zoneadrenalan dot com dot au> wrote:
> I would like to know if the implementation of grouping with
> hosts/networks for aliases is something currently being worked on or is
> the a particular reason why it has not been already.
That's a feature I'd love to see off the to do list, too.
Rather than open up ports to any incoming IP, I prefer to restrict
them to the net blocks assigned to the providers I know I need access
from. For example, for my family I allow www, ftp, and https from the
eight netblocks (supernetted into 4) that their provider uses
regionally for ADSL, gleaned from RIPE.
On my PIX, I can do this in one rule (services and addresses both
grouped). On the m0n0, however, that makes 12 separate rules...
Granted, it's a slightly paranoid approach; but it *vastly* reduces
the target surface of my network compared to 'pass <some service> from
*', and centralises the rules on the firewall (rather than filtering
IPs on servers after m0n0 filters ports).
In a commercial environment, where IPs tend to be fixed, it's not so
much of an issue. But for domestic/small business users using ADSL,
address grouping used in this way is really useful; service grouping,
Does anyone have any comments on this approach?