|
||||||||
Hi all- I'm a bit confused about how the firewall rulesets are implemented for multiple OPT interfaces. Specifically - for the destination side of the firewall rules - there is no way to select 'WAN' -- unless 'any' really does just mean WAN and does not include various OPT networks (this was implied/stated in one list email at least, but I cannot confirm this). If Any really means 'WAN' it seems that should be renamed to make it clear OPT rules are needed. If any means any I really could use a 'WAN' destination option. This seems critical for significant use of the VLAN feature to get multiple discrete secure zones. (IE - setup outbound rules for OPT1 that do not become inbound holes into OPT2 because of the 'ANY'). Useful for getting full isolation between different DMZ servers/services - or different managed firewall customers in an ISP environment. Also - I have a question about IP spoof checking. Are packets source addresses checked against the m0n0's route table to detect spoofed addrs? This would obviously only be for routed interfaces as I see nowhere to define host lists in a bridge setup. (Ie - the 'transparent' bridging firewalls I've used make you specify which subnets are on which interfaces - and which hosts for the local subnet). I'd love to see that done as well on m0n0 - but that seems like a lot to cram into it's very elegant interface to get the spoof protection. Thanks! -josh bardt |