On Sun, 31 Dec 2000, guy keren wrote:
>
> On Sun, 31 Dec 2000, Jonathan Ben-Avraham wrote:
>
> > The ipchains HOWTO contains an example firewall configuration with
> > separate chains defined for each triple of source network, destination
> > network and direction. That is, there are chains "net-dmz", "dmz-net",
> > "net-int", "int-net", "int-dmz" and "dmz-int". Is there any really good
> > reason not to simply leave all of rules in the forward chain? What do you
> > gain by splitting the forward rules into so many separate chains?
>
> i haven't read the howto, so i'm just plain old edu-guessing, based on my
> experience with playing with various odd features of ipchains. the split
> into several chains ought to make the "code" easier to read and maintain,
> much like a program's source code is broken down into functions (each
> chain is the equivalent of a function call, more or less).
Sticking to that metaphore, also think about "code reuse"
>
> computation-wise, there is no extra functionality gained by splitting the
> rules into seperate chains. i would guess that some security experts would
> advise against using several chains, using their rule that you can't
> achive good security in a complex system, and when you keep the rules in a
> single chain, you can see them all together, which is important, too.
Technically, there may be:
If you want to apply some rules to part of the packets, you can send them
to a seperate chain. Thus you don't have to spesify the selection criteria
for this group of packet on every rule you apply to this group.
Although I believe this gain would be neglectable in almost any setting.
--
Tzafrir Cohen
mailto:[EMAIL PROTECTED]
http://www.technion.ac.il/~tzafrir
=================================================================
To unsubscribe, send mail to [EMAIL PROTECTED] with
the word "unsubscribe" in the message body, e.g., run the command
echo unsubscribe | mail [EMAIL PROTECTED]
