[ previous ] [ next ] [ threads ]
 
 From:  boink <lordboink at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Cc:  melbourne at zoneadrenalan dot com dot au
 Subject:  [m0n0wall] When will grouping of hosts/networks for aliases be implemented into m0n0wall?
 Date:  Wed, 10 May 2006 01:03:59 +0200
On 09/05/06, Russell Reader <melbourne at zoneadrenalan dot com dot au> wrote:
> I would like to know if the implementation of grouping with
> hosts/networks for aliases is something currently being worked on or is
> the a particular reason why it has not been already.
>
> Thanks
> Russell
>
>

Dear m0n0,

That's a feature I'd love to see off the to do list, too.

Rather than open up ports to any incoming IP, I prefer to restrict
them to the net blocks assigned to the providers I know I need access
from.  For example, for my family I allow www, ftp, and https from the
eight netblocks (supernetted into 4) that their provider uses
regionally for ADSL, gleaned from RIPE.

On my PIX, I can do this in one rule (services and addresses both
grouped).  On the m0n0, however, that makes 12 separate rules...

Granted, it's a slightly paranoid approach; but it *vastly* reduces
the target surface of my network compared to 'pass <some service> from
*', and centralises the rules on the firewall (rather than filtering
IPs on servers after m0n0 filters ports).

In a commercial environment, where IPs tend to be fixed, it's not so
much of an issue.  But for domestic/small business users using ADSL,
address grouping used in this way is really useful; service grouping,
too.

Does anyone have any comments on this approach?

Best wishes,
boink