|
||||||||
Chris Buechler wrote: > Can you name a firewall vendor that doesn't do per-interface rulesets? I can name a dozen. Start in the big league with the mother of them all, Check Point Software Technologies Ltd. > Or one good reason it shouldn't be this way? If there's no real use cases (as I suspect), then adding complexity makes the rulebase harder to figure out. * It forces the administrator to think interfaces into every rule, even though they are completely irrelevant (please state use cases if you think this is wrong). * The administrator needs to look in a multitude of different sections for h(is/er) rules. * You loose a lot of simplicity - it's no longer "rules mentioned first are acted upon first", "it's rules listed first are acted upon first, well, depending on how the traffic looks and on which interface it arrived or is going to, and depending on whether the packet in question is currently before or after the kernel IP router.." or some such.. > The vast majority of the time, it makes rulesets much cleaner and > easier to work with, and easier to read and comprehend. Ok, that's a real use case! Thanks! Can you elaborate? How is per-interface rulebases much cleaner compared to other ways of grouping rules? (For example, you could maintain the simplicity and linearity of one rulebase if you allowed the user to group consecutive rules into a "group", which could be folded/unfolded by javascript with the click of a '+/-' button.) |