Re: meaning of "both" in a filter statement

["Joseph S. D. Yao" <jsdy () cospo osis gov>]

> > Has anyone found an explanation for what "both" really does.?
>
> Hal,
>
> The distinction is between "can" and "may".  Obviously, the IP "can"
> not go either way.  But the file is saying that it "may".
>
> Hu?

I can kick my kids [physically capable].  I may not [not permissible].

The connection from the firewall to a specific IP address can only go
through one of the N (N >= 2) interfaces.  But the file is saying that,
whichever of those interfaces allows that connection, the connection
MAY [is allowed to be] made.

The file only gives permissions.  It does not speak to physical
capabilities or connection realities.

> This makes much more sense when using rules with wild cards.  E.g.,
> deny e-mail in or out to and from all IP addresses on "both"
> interfaces, or allow Quake in and out to and from all IP addresses on
> "both" interfaces.  ;-}
>
> Capish?
>
> An unusual use  and maybe spurious       Capisci?

The specific examples, yes.  The form, absolutely not.  As a more
specific use, if I want to have 'ping's or MTU discovery go through the
firewall transparently, I may need to enable those ICMP services
to/from all IP addresses on "both" interfaces.

--
Joe Yao                         jsdy () cospo osis gov - Joseph S. D. Yao
COSPO Computer Support                                          EMT-A/B
-----------------------------------------------------------------------
This message is not an official statement of COSPO policies.