Re: [Fwbuilder-discussion] Understand how to get efficient rulesets

[Whit B. <wh...@tr...>]

On Sun, Jul 19, 2009 at 06:34:53PM -0700, Vadim Kurland ✎ wrote:

> the rule that matches ESTABLISHED,RELATED you quoted above permits reply 
> packets for sessions opened from inside going out. It does not permit 
> just everything outbound.

I understood that. As I said "... means that Direction 'Outbound' is
automaticly allowed, without explicit action in the GUI, for anything
allowed 'Inbound' to start." Once something is allowed to initiate from
outside, the outgoing reply qualifies as ESTABLISHED,RELATED, so the rule
lets the Outbound out. We're both saying the same thing there.

My point was just that anything set in the GUI as allowed Inbound, for the
particular transaction, is allowed back Outbound by that rule so doesn't
need the Outbound GUI arrow explicitly showing it. That's not always the
style in which this is handled. Those of us in the previous habit of setting
individual ESTABLISHED or ESTABLISHED,RELATED rules for Outbound responses
on specific Inbound ports might expect that the GUI requires both the up and
down arrows showing in order to correspond with the behavior. It doesn't.

That's fine. I'm just trying to clarify where someone who knows iptables
somewhat well but is used to different design patterns can get tripped up on
the GUI. It doesn't matter to me now that I understand it better, but it
might matter to the next person, so this is in the "Get the rock you tripped
over off the path" category of trying to help out.

I like Firewall Builder a lot. I'll be using it extensively. Just thinking
it can be a contribution to show the places where a new person of somewhat
typical sysadmin background can get confused by it, at least leaving a
record of the confusions and resolutions in the discussion list here, so the
next person confused might find it in the archive. That's often where I've
found solutions to problems with other packages over the years, in their
discussion lists.

Whit