[ previous ] [ next ] [ threads ]
 From:  "Molle Bestefich" <molle dot bestefich at gmail dot com>
 To:  m0n0wall at lists dot m0n0 dot ch, support at pfsense dot com
 Subject:  Re: [m0n0wall] Re: per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 22:37:25 +0200
Chris Buechler wrote:
> If you want to drop big names

Hey, you're the one who asked :-).
But fine idea, let's not look at what others do, that's rather pointless anyway.

> > If there's no real use cases (as I suspect), then adding complexity
> > makes the rulebase harder to figure out.
> this isn't adding complexity, it's removing it.

I'll agree that going from multiple rulebases to one rulebase is
removing complexity, even though there obviously needs to be some sort
of a solution for grouping rules.

Earlier, I outlined a custom grouping solution, with per-group
descriptions and folding/unfolding buttons.

Another approach would be a checkbox for each defined network.
Checking a box next to a network/host would mean "show me only rules
affecting these networks / hosts".  Hidden rules could go behind a
text like "5 rule(s) hidden", just like Gmail hides quotes.

(Details:  Default behaviour would be to show everything.  Many
networks mean many checkboxes, so checkboxes should be buffed away in
a dropdown.)

> >  * You loose a lot of simplicity - it's no longer "rules mentioned
> > first are acted upon first", "it's rules listed first are acted upon
> > first, well, depending on how the traffic looks and on which interface
> > it arrived or is going to, and depending on whether the packet in
> > question is currently before or after the kernel IP router.." or some
> > such..
> That's a bunch of crap.  You're making it far more complex than it is.
> First match applies, and the ruleset on the interface the traffic is
> entering applies.  Very simple.

Very nice, concise description.
It should probably go on the "Rules" page as a hint to those who don't get it.
(With the "you're full of crap" thing taken out ;-).)

I agree that I was depicting things slightly too complex.

But I withhold that the administrator is forced to think about
interfaces in a lot of situations where it's simply not appropriate
nor desirable.

> It's a matter of personal preference,
> Obviously the developers here prefer per-interface.

Noone has mentioned past discussions or pointed at design notes.
Therefore I assume that the state of affairs is that the developers
hasn't used much time to think about and discuss the merits and
deficiencies of one design versus the other versus the third.

Other than that, point taken.

> if you don't like the per-interface way, go use Check Point or MS ISA.

It's just a discussion - no need to tell me to f... off unless you're
really passionate about it.