Firewalls: Re: Filters and interfaces.

Firewalls
(October 1992)

Indexed By Thread: [Previous] [Next]

Subject:	Re: Filters and interfaces.
From:	Brent Chapman <brent @ GreatCircle . COM>
Date:	Fri, 09 Oct 92 16:00:41 -0700
To:	Firewalls @ GreatCircle . COM
In-reply-to:	Your message of Sun, 4 Oct 92 04:20:53 +1000

avalon @
 coombs .
 anu .
 edu .
 au (Darren Reed) writes:

#    To reduce both the size of filter rulesets as well as increasing
# throughput of non-filtered traffic, it would seem better to be able
# to setup a different filter rule set for each interface connected to
# the host.  Are there any working packet filters which are able to
# operate in this way or does anyone know of any texts which discuss
# this ?  With this approach, you could more easily block packets from
# outside which were trying to be internal hosts.

You are absolutely right.  Most of the more useful filtering products
in fact work this way.  The best ones also let you specify both
filters for both incoming and outgoing packets on each interface.  See
my paper (available for anonymous FTP as pub/pkt_filtering.ps.Z on
FTP.GreatCircle.COM) for a more in-depth discussion.


-Brent
--
Brent Chapman                                   Great Circle Associates
Brent @
 GreatCircle .
 COM                           1057 West Dana Street
+1 415 962 0841                                 Mountain View, CA  94041

Indexed By Date	Previous:	Re: Reverse and double-reverse IP address lookups as service prerequisites From: Brent Chapman <brent @ GreatCircle . COM>
Indexed By Date	Next:	Re: cisco router & interfaces used:subnet ratio From: tron!plaza . dnet!adkins @ uunet . UU . NET (Marty Adkins, (W) ESG Distributed Systems, MS 1615, WIN 285-1479)
Indexed By Thread	Previous:	Re: Filters and interfaces. From: Eliot Lear <lear @ yeager . corp . sgi . com>
Indexed By Thread	Next:	Re: your mail From: "John B. Brown" <jbb @ flare . cs . umb . edu>