Great Circle Associates Firewalls
(October 1992)
 

Indexed By Date: [Previous] [Next] Indexed By Thread: [Previous] [Next]

Subject: Re: Filters and interfaces.
From: Brent Chapman <brent @ GreatCircle . COM>
Date: Fri, 09 Oct 92 16:00:41 -0700
To: Firewalls @ GreatCircle . COM
In-reply-to: Your message of Sun, 4 Oct 92 04:20:53 +1000

avalon @
 coombs .
 anu .
 edu .
 au (Darren Reed) writes:

#    To reduce both the size of filter rulesets as well as increasing
# throughput of non-filtered traffic, it would seem better to be able
# to setup a different filter rule set for each interface connected to
# the host.  Are there any working packet filters which are able to
# operate in this way or does anyone know of any texts which discuss
# this ?  With this approach, you could more easily block packets from
# outside which were trying to be internal hosts.

You are absolutely right.  Most of the more useful filtering products
in fact work this way.  The best ones also let you specify both
filters for both incoming and outgoing packets on each interface.  See
my paper (available for anonymous FTP as pub/pkt_filtering.ps.Z on
FTP.GreatCircle.COM) for a more in-depth discussion.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041


Indexed By Date Previous: Re: Reverse and double-reverse IP address lookups as service prerequisites
From: Brent Chapman <brent @ GreatCircle . COM>
Next: Re: cisco router & interfaces used:subnet ratio
From: tron!plaza . dnet!adkins @ uunet . UU . NET (Marty Adkins, (W) ESG Distributed Systems, MS 1615, WIN 285-1479)
Indexed By Thread Previous: Re: Filters and interfaces.
From: Eliot Lear <lear @ yeager . corp . sgi . com>
Next: Re: your mail
From: "John B. Brown" <jbb @ flare . cs . umb . edu>

Google
 
Search Internet Search www.greatcircle.com