From documentation presented here on this list and available for
products such as screend for Ultrix and SGI's packet filter daemon,
its seems that most filters have one set of rules through which all
packets must pass. While fair, this would seemingly slow down the
network traffic which is never going to be filtered and even more so
if the host which is acting as the filter is routing more than two
network connections.
To reduce both the size of filter rulesets as well as increasing
throughput of non-filtered traffic, it would seem better to be able
to setup a different filter rule set for each interface connected to
the host. Are there any working packet filters which are able to
operate in this way or does anyone know of any texts which discuss
this ? With this approach, you could more easily block packets from
outside which were trying to be internal hosts.
cheers,
Darren.
|
|
