At 22:38 9/14/94 -0500, Jim Thompson wrote:
>I've always been confused by the heat surrounding inbound/outbound filters.
>If you've got inbound filters, and you can prevent the packet from appearing
>on the IP input queue, why do you have to worry about the outbound queue?
>Really the only traffic that can be generated that isn't subjected to the
>list is locally generated traffic. And hey, if you don't have control of your
>firewall (or filterning router), what security do you have?
It's primarily an issue for routers with >2 interfaces. If you've got
multiple interfaces, it's really nice to be able to put all the Internet-
related filtering rules on the Internet interface, and all the finance-net
related filtering fules on the finance-net interface, and so forth.
First, it makes the rules much simpler; trying to merge 4 nets' worth of
filtering constraints into 4 different outbound-only (or inbound-only)
filter lists can be a reach headache, and may not be possible at all
(depends on the filter syntax).
Second, it's a performance issue; being able to put all the filtering
rules on a single interface means that traffic between other interfaces
isn't subject to packet filtering performance delays.
Brent Chapman | Great Circle Associates | Call or email for info about
COM | 1057 West Dana Street | upcoming Internet Security
+1 415 962 0841 | Mountain View, CA 94041 | Firewalls Tutorial dates