I'm a bit confused about how the firewall rulesets are implemented
for multiple OPT interfaces.
Specifically - for the destination side of the firewall rules -
there is no way to select 'WAN' -- unless 'any' really does
just mean WAN and does not include various OPT networks (this
was implied/stated in one list email at least, but I cannot
If Any really means 'WAN' it seems that should be renamed to
make it clear OPT rules are needed. If any means any I really
could use a 'WAN' destination option.
This seems critical for significant use of the VLAN feature
to get multiple discrete secure zones. (IE - setup outbound
rules for OPT1 that do not become inbound holes into OPT2 because
of the 'ANY'). Useful for getting full isolation between
different DMZ servers/services - or different managed firewall
customers in an ISP environment.
Also - I have a question about IP spoof checking. Are packets
source addresses checked against the m0n0's route table to
detect spoofed addrs?
This would obviously only be for routed interfaces as I see nowhere
to define host lists in a bridge setup. (Ie - the 'transparent'
bridging firewalls I've used make you specify which subnets
are on which interfaces - and which hosts for the local subnet).
I'd love to see that done as well on m0n0 - but that seems like
a lot to cram into it's very elegant interface to get the spoof