[ previous ] [ next ] [ threads ]
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch, support at pfsense dot com
 Subject:  per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 19:16:45 +0200
Hi guys

I've talked to three people now, and like me they can see only one
lonely use case for per-interface rules: anti-spoofing.

Seeing as anti-spoofing is largely automated in pfSense and m0n0wall,
is there any compelling reason for this odd division of the rulebase?

It makes the rules hard to work with, because in addition to deciding
on your source, destination and service, you have to either add your
rule to all of the interfaces, or try to figure out by what arcane
metric the firewall decides when to enforce the rules that are added
under one particular interface and when it's the rules associated with
another interface that's in action.

Hope you can enlighten me!