[ previous ] [ next ] [ threads ]
 
 From:  Daniele Guazzoni <daniele dot guazzoni at gcomm dot ch>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] simplifying packet filter rules
 Date:  Tue, 13 Nov 2007 08:35:37 +0100 
Exactly !
And if you have non aggregatable addressing you will have to put several "not" rules.
It would be nice to have a grouping function for hosts and networks...

Daniele

Chris Buechler wrote:

> That's correct, but there are more logical and sensible ways to do
> this. Every site should use subnets that can be CIDR summarized. Then
> you can add subnets without changing any of this, and also permit to
> everything *but* your internal subnets in one rule by using
> destination "not" your internal subnets.
> 
> For example, if you use 192.168.1.0/24, 192.168.2.0/24, etc. through
> 192.168.254.0/24, you can summarize with 192.168.0.0/16. Then allow to
> destination "not" 192.168.0.0/16 and you have what you're after.
> 

-- 
This message has been scanned for viruses and
dangerous content by MailGate, and is
believed to be clean.