[j-nsp] Re: Re: Re: Interfaces, deactivate vs disable

[Richard A Steenbergen]

On Thu, Jun 09, 2005 at 11:13:53PM +0200, Daniel Roesen wrote:
> 
> Now I want to add more FROB and QUX acceptance. Everytime I have to
> add something I need to do the "set term ..." drill, and always
> remember the final "insert term deny-and-log-rest after
> $LAST_ADDED_TERM". How nice it would be to have
> 
> ...
>         terminal-term deny-and-log-rest {
>             then {
>                 discard;
>                 log;
>                 count denied-rest
>              }
>         }
> ...

I think you're over-complicating it. Just as we now have:

policy-statement blah {
    term foo {
        ....
    }
    term bar {
        ....
    }
    then {
        default action which always stays on the bottom here;
    }
}

We should also have:

filter blah {
    term foo {
        ....
    }
    term bar {
        ....
    }
    then {
        default action which always stays on the bottom here;
    }
}

This only seems logical, since most firewalls will have some default 
action for that which doesn't match (a default reject, accept, log, etc). 

Of course what I would really kill for is chained firewall filters like we 
have chained policies, but lets start with this dirt simple feature first. 
:)

-- 
Richard A Steenbergen <ras at e-gerbil.net>       http://www.e-gerbil.net/ras
GPG Key ID: 0xF8B12CBC (7535 7F59 8204 ED1F CC1C 53AF 4C41 5ECA F8B1 2CBC)