[ previous ] [ next ] [ threads ]
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 21:42:21 +0200
Chris Buechler wrote:
> Can you name a firewall vendor that doesn't do per-interface rulesets?

I can name a dozen.

Start in the big league with the mother of them all, Check Point
Software Technologies Ltd.

> Or one good reason it shouldn't be this way?

If there's no real use cases (as I suspect), then adding complexity
makes the rulebase harder to figure out.

 * It forces the administrator to think interfaces into every rule,
even though they are completely irrelevant (please state use cases if
you think this is wrong).

* The administrator needs to look in a multitude of different sections
for h(is/er) rules.

 * You loose a lot of simplicity - it's no longer "rules mentioned
first are acted upon first", "it's rules listed first are acted upon
first, well, depending on how the traffic looks and on which interface
it arrived or is going to, and depending on whether the packet in
question is currently before or after the kernel IP router.." or some

> The vast majority of the time, it makes rulesets much cleaner and
> easier to work with, and easier to read and comprehend.

Ok, that's a real use case!

Can you elaborate?
How is per-interface rulebases much cleaner compared to other ways of
grouping rules?

(For example, you could maintain the simplicity and linearity of one
rulebase if you allowed the user to group consecutive rules into a
"group", which could be folded/unfolded by javascript with the click
of a '+/-' button.)