[ previous ] [ next ] [ threads ]
 
 From:  "Lee Sharp" <leesharp at hal dash pc dot org>
 To:  <m0n0wall at lists dot m0n0 dot ch>
 Subject:  Re: [m0n0wall] Re: per-interface rulebases: why?
 Date:  Thu, 1 Jun 2006 16:56:21 -0500
From: "Molle Bestefich" <molle dot bestefich at gmail dot com>
> Lee Sharp wrote:

>> > If there's no real use cases (as I suspect), then adding complexity
>> > makes the rulebase harder to figure out.

>> It makes it much simpler if you think in a "spatial relations" sort of 
>> way.
>> What is the flow of the traffic, and look at those interfaces.

> I fail to see how your "flow of traffic between interfaces" way of
> thinking is superior to my "flow of traffic between networks/hosts".

In the above statement, "interfaces" and "networks" can be considered equal. 
And if you think hosts, you can miss what you are passing through, or not. 
For example "Home" to "the office printer" can mean different things based 
on VPN, or port forwarding.

>> It is just grouped by interface to make it easier for US.

> It's still added complexity as far as I can see, though I guess it
> does make it easier for people who's used to it, and perhaps the
> developers.

A different way of thinking.  And you say "THE DEVELOPERS" like they are 
some weird guys in robes among the clouds...  You can be one too.  Just 
change the code.  You only need to play with the page 
https://gateway/firewall_rules.php which is on the root filesystem under 
/usr/local/www and present something new.  It might end up being put into 
the distribution.

                            Lee