Chris Buechler wrote:
> Can you name a firewall vendor that doesn't do per-interface rulesets?
I can name a dozen.
Start in the big league with the mother of them all, Check Point
Software Technologies Ltd.
> Or one good reason it shouldn't be this way?
If there's no real use cases (as I suspect), then adding complexity
makes the rulebase harder to figure out.
* It forces the administrator to think interfaces into every rule,
even though they are completely irrelevant (please state use cases if
you think this is wrong).
* The administrator needs to look in a multitude of different sections
for h(is/er) rules.
* You loose a lot of simplicity - it's no longer "rules mentioned
first are acted upon first", "it's rules listed first are acted upon
first, well, depending on how the traffic looks and on which interface
it arrived or is going to, and depending on whether the packet in
question is currently before or after the kernel IP router.." or some
> The vast majority of the time, it makes rulesets much cleaner and
> easier to work with, and easier to read and comprehend.
Ok, that's a real use case!
Can you elaborate?
How is per-interface rulebases much cleaner compared to other ways of
(For example, you could maintain the simplicity and linearity of one
rulebase if you allowed the user to group consecutive rules into a
of a '+/-' button.)