On 6/1/06, Molle Bestefich <molle dot bestefich at gmail dot com> wrote:
> I've talked to three people now, and like me they can see only one
> lonely use case for per-interface rules: anti-spoofing.
Can you name a firewall vendor that doesn't do per-interface rulesets?
(I'm sure there are some, but virtually all do per-interface) Or one
good reason it shouldn't be this way?
The vast majority of the time, it makes rulesets much cleaner and
easier to work with, and easier to read and comprehend. For those
reasons, it's more secure (more difficult to screw something up). If
you only have two interfaces, this might not be a big deal, but throw
in 6 interfaces or so and a complex ruleset to go along with it, and
the per-interface method makes *much* more sense.