[ previous ] [ next ] [ threads ]
 
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CARP and OUT rules
 Date:  Wed, 07 Sep 2011 17:53:56 +0200 
Il 07/09/2011 17:08, Lee Sharp ha scritto:
> On 09/07/2011 07:19 AM, Tonix (Antonio Nati) wrote:
>> OUT rules
>>
>> Possibility to choose if all rules apply to incoming or outgoing
>> connections:
>> If incoming, rules would apply as now. Now, with more interfaces, we
>> are forced to write same rules on all interfaces, in order to
>> protect services.
>> If outgoing, rules would be applied on outgoing interface. This
>> would semplify management of more interfaces, because rules would be
>> written only once and only on outgoing interface.
>> As alternative, mantaining actual incoming rules, it would be nice
>> to have one PRE-RULES panel which rules would be applied to any
>> interface, before interface local rules.
>
> I see this as a disadvantage, since you no longer have the granular 
> control.

It is granular in the same way, but more easy to manage, and with less 
rules to be written.

Actually, if you want to know who is permitted to use a service, you 
must walk through all interfaces, while in the way I propose you have 
all the rules on the service's interface.

With output rules, you write rule only once.

With incoming rules, you have to write (and manage, and execute run 
time) a number of rules with is multiplied for the number of interfaces.

Outgoing interface eth5:  enable  from any  port any    to:    
100.100.100.100 port 25

With actual system, you have to write same rule for every incoming 
interface:
Incoming interface eth0:  enable  from any  port any    to:    
100.100.100.100 port 25
Incoming interface eth1: enable  from any  port any    to:    
100.100.100.100 port 25
Incoming interface eth2:  enable  from any  port any    to:    
100.100.100.100 port 25
.............
Incoming interface ethX: enable  from any  port any    to:    
100.100.100.100 port 25

If you want complex exceptions, you write them only in one place. If you 
want to examine who accesses a service, see rules on service interface.

This is the point of view of a ISP, which can opposite to other points 
of view. For such reason I suggest someone can choose the general 
behaviour of his/her installation: input or output rules.

> However, I can see your trouble with making the same rule twice. (Or 
> more)  But did you know you can copy a rule to another interface?  You 
> just have to change the interface drop down and source dropdown.

Of course now I'm forced to copy rules, but when I need to change order 
or add rules/exceptions it is really troublesome.

I have about 20 vlans (interfaces), most of which are DMZ which publish 
only some services to all the world (Internet + DMZs), so I have to 
replicate each change on all 20 interfaces.

With this small change manageability would become fantastic for ISP 
environments.
Rules would be much less, and general speed of monowall would be better.

Regards,

Tonino


>
>             Lee
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


-- 
------------------------------------------------------------
         Inter@zioni            Interazioni di Antonio Nati
    http://www.interazioni.it       tonix at interazioni dot it
------------------------------------------------------------