au (Darren Reed) writes:
# To reduce both the size of filter rulesets as well as increasing
# throughput of non-filtered traffic, it would seem better to be able
# to setup a different filter rule set for each interface connected to
# the host. Are there any working packet filters which are able to
# operate in this way or does anyone know of any texts which discuss
# this ? With this approach, you could more easily block packets from
# outside which were trying to be internal hosts.
You are absolutely right. Most of the more useful filtering products
in fact work this way. The best ones also let you specify both
filters for both incoming and outgoing packets on each interface. See
my paper (available for anonymous FTP as pub/pkt_filtering.ps.Z on
FTP.GreatCircle.COM) for a more in-depth discussion.
Brent Chapman Great Circle Associates
COM 1057 West Dana Street
+1 415 962 0841 Mountain View, CA 94041