Most recent edit on 2007-12-04 07:37:22 by ChrisBuechler
Additions:
In some circumstances, per-interface rulesets are undesirable. Having a single ruleset applied to all traffic traversing the firewall makes much more sense in some cases. This is especially the case with large numbers of interfaces (10+), common in VLAN environments. It also eliminates the problem now in such environments where the tabs run way off the screen.
Deletions:
In some circumstances, per-interface rulesets are undesirable. Having a single ruleset applied to all traffic traversing the firewall makes much more sense in some cases. This is especially the case with large numbers of interfaces (10+), common in VLAN environments.
Oldest known version of this page was edited on 2007-12-04 07:32:33 by ChrisBuechler []
Page view:
Single Page Ruleset
In some circumstances, per-interface rulesets are undesirable. Having a single ruleset applied to all traffic traversing the firewall makes much more sense in some cases. This is especially the case with large numbers of interfaces (10+), common in VLAN environments.
The default would remain per-interface rules, because that way makes more sense for most users. There would be an option to switch from per-interface to single ruleset, and vice versa.
Rule generation changes
Rules would have to be generated differently in the back end for a single ruleset, since we now use interfaces on rules.
Antispoofing may need modification as well.
Rule conversion logic
We need to include logic to allow switching between ruleset types.
Per-interface to single
Rules on each interface would need to be converted if the source is any. Those rules would have the source network 'any' replaced with the subnets on that interface.
Single to per-interface
This is more difficult. It would probably make the most sense to force the user to manually choose which interface to use for each rule. Something like the following screen after you switch from single to per-interface.
http://pfsense.org/~cmb/screens/per-interface-fw-rules-convert.png∞
