[ previous ] [ next ] [ threads ]
 From:  "Chris Buechler" <cbuechler at gmail dot com>
 Cc:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] Re: per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 15:51:29 -0400
On 6/1/06, Molle Bestefich <molle dot bestefich at gmail dot com> wrote:
> Start in the big league with the mother of them all, Check Point
> Software Technologies Ltd.

If you want to drop big names, Cisco does per interface, and I
wouldn't give it up for anything.

> If there's no real use cases (as I suspect), then adding complexity
> makes the rulebase harder to figure out.

this isn't adding complexity, it's removing it.

>  * You loose a lot of simplicity - it's no longer "rules mentioned
> first are acted upon first", "it's rules listed first are acted upon
> first, well, depending on how the traffic looks and on which interface
> it arrived or is going to, and depending on whether the packet in
> question is currently before or after the kernel IP router.." or some
> such..

That's a bunch of crap.  You're making it far more complex than it is.
 First match applies, and the ruleset on the interface the traffic is
entering applies.  Very simple.

I'm not going to waste my time arguing with you.  It's a matter of
personal preference, and if you don't like the per-interface way, go
use Check Point or MS ISA.