[ previous ] [ next ] [ threads ]
 From:  Anders Hagman <anders dot hagman at netplex dot se>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CARP and OUT rules
 Date:  Thu, 8 Sep 2011 21:44:29 +0200
7 sep 2011 kl. 23:41 skrev Tonix (Antonio Nati):

> Il 07/09/2011 22:32, Joey Morin ha scritto:
>> On Wed, Sep 7, 2011 at 11:53 AM, Tonix (Antonio Nati)
>> <tonix at interazioni dot it>wrote:
>>> With this small change manageability would become fantastic for ISP
>>> environments.
>>> Rules would be much less, and general speed of monowall would be better.
>> while i agree that this kind of feature would be much easier to manage and
>> maintain (especially in a situation with soooo many interfaces), it's
>> unlikely that it would improve performance.  i suspect that the
>> configuration feature you seek would still need to generate individual rules
>> for each interface, either at configuration time or dynamically at run time.
> Why?
> Practically speaking instead of several "pass in"
>   pass in on eth0 proto tcp from any to
>   pass in on eth1 proto tcp from any to
>   pass in on eth2 proto tcp from any to
>   pass in on eth3 proto tcp from any to
>   ...............................
>   pass in on ethN proto tcp from any to
> it would become simply
>   pass out on eth5 proto tcp from any to
> This "pass out" rules eliminatex all N rules needed for every incoming interface.
> So, I feel handling of a rules table 20 times smaller would help a lot rules checking performance.
> But that would a a side effect. Main effect is real manageability. In complex situations like
mine, actual monowall behaviours are hard to manage.
> Basically, it is a question of prospective.
> As normal user or end user actual behaviour is fine.
> As ISP, managing dozens of vlans, actual behaviour is hard to use, hard to mantain, hard to check.
> Using output rules would help extremely and would semplify security schemas.

You are right, but not knowing exactly how ipfiler works here is a thought.
The default behavior is to deny all incoming traffic and you must specify a permit rule to allow
your traffic through.
Because the firewall is stateful it will create a dynamic rule to shortcut the filter table.


You have to do your incoming filter anyway.
Even if we do an outgoing filer does the firewall test it at all?