[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 15:25:13 -0400
On 6/1/06, Molle Bestefich <molle dot bestefich at gmail dot com> wrote:
> I've talked to three people now, and like me they can see only one
> lonely use case for per-interface rules: anti-spoofing.

Can you name a firewall vendor that doesn't do per-interface rulesets?
 (I'm sure there are some, but virtually all do per-interface)  Or one
good reason it shouldn't be this way?

The vast majority of the time, it makes rulesets much cleaner and
easier to work with, and easier to read and comprehend.  For those
reasons, it's more secure (more difficult to screw something up).  If
you only have two interfaces, this might not be a big deal, but throw
in 6 interfaces or so and a complex ruleset to go along with it, and
the per-interface method makes *much* more sense.