[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD Firewalls

To: "Milhomem, Marcus" <Marcus_Milhomem@bmc.com>, <misc@openbsd.org>
Subject: Re: OpenBSD Firewalls
From: "S9" <km@themcminns.com>
Date: Tue, 1 Oct 2002 21:44:51 -0700

> my rules are becoming very complex and I am afraid
> of start making mistakes because of the complexity
> of my rules.

how complex? Even in large deployment scenarios,
I've found ways to keep firewalls manageable
one way or another by using preset interface
security levels (a Cisco PIXish notion). Implementing
it in pf is just a matter of default block statements.
Basic idea being that the interfaces with the highest
security levels by default have complete access
to lower security interfaces (such as a dmz),
but the dmz has zero access directly to the higher
security interface.

IMO, its too much of a security hole to have a
gui to manage your pf.conf.


-Karsten

Follow-Ups:
- Re: OpenBSD Firewalls
  - From: Saad Kadhi <bsdguy@docisland.org>
- Re: OpenBSD Firewalls
  - From: Marc Balmer <marc@msys.ch>
- Re: OpenBSD Firewalls
  - From: Mike Shaw <mshaw@wwisp.com>

References:
- OpenBSD Firewalls
  - From: "Milhomem, Marcus" <Marcus_Milhomem@bmc.com>

Prev by Date: Re: This list..
Next by Date: Re: OpenBSD Firewalls
Prev by thread: Re: OpenBSD Firewalls
Next by thread: Re: OpenBSD Firewalls
Index(es):
- Date
- Thread