[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Filter rules & NAT



On Mon, 2002-12-09 at 09:09, Daniel Hartmeier wrote:
> Just because a connection is allowed in on one interface doesn't mean I
> want to allow it out through ANY of the other interfaces. I see
> filtering on an interface as a guard standing at a door. Just because
> one guard let you into the house doesn't mean you may leave the house
> through any door you like. You have to pass each guard.
Exactly.  BenR, what you're seeing here is not a poor design decision. 
Rather, you've finally been given the fine-grained ability to control
everything on your interface(s).  How simple or complex these rules
become is entirely up to you.  Obviously, this level of complexity makes
a front-end/wrapper program that much more difficult to code for.
Linux Netfilter offers a comparable level of granularity.  However, the
iptables syntax is MUCH more obscene.  I've really learned to appreciate
the philosophies behind the PF engine over a very short period of time
(skip steps, for example).
-J.