[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD Firewalls

To: misc@openbsd.org
Subject: Re: OpenBSD Firewalls
From: Saad Kadhi <bsdguy@docisland.org>
Date: Wed, 2 Oct 2002 08:03:19 +0200
Content-Disposition: inline
Mail-Followup-To: misc@openbsd.org
References: <135B28260785D411B1DD00A0C9EBE303088CC48C@ES08-HOU.bmc.com> <FHEBKOCJFMEPEOJCFJFMGENIDJAA.km@themcminns.com>
User-Agent: Mutt/1.4i

On Tue, Oct 01, 2002 at 09:44:51PM -0700, S9 wrote:
> > my rules are becoming very complex and I am afraid
> > of start making mistakes because of the complexity
> > of my rules.
> 
> how complex? Even in large deployment scenarios,
> I've found ways to keep firewalls manageable
> one way or another by using preset interface
> security levels (a Cisco PIXish notion). Implementing
> it in pf is just a matter of default block statements.
> Basic idea being that the interfaces with the highest
> security levels by default have complete access
> to lower security interfaces (such as a dmz),
> but the dmz has zero access directly to the higher
> security interface.
I'm using this same concept. And It works well.

> IMO, its too much of a security hole to have a
> gui to manage your pf.conf.
Not necessarily. The GUI or a related process can push the rules to the firewall
via a secure channel such as ssh/scp. The last time I got a look at fwbuilder,
they were advising just that.

-- 
Saad Kadhi -- [saad@docisland.org] [bsdguy@docisland.org]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---
"Si ce que tu dis n'est ni beau, ni bon, ni vrai, alors tais-toi!"
							    - Socrate

References:
- OpenBSD Firewalls
  - From: "Milhomem, Marcus" <Marcus_Milhomem@bmc.com>
- Re: OpenBSD Firewalls
  - From: "S9" <km@themcminns.com>

Prev by Date: Re: OpenBSD Firewalls
Next by Date: Re: OpenBSD Firewalls
Prev by thread: Re: OpenBSD Firewalls
Next by thread: Re: OpenBSD Firewalls
Index(es):
- Date
- Thread