[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: OpenBSD 3.0/PF howto feedback
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: OpenBSD 3.0/PF howto feedback
- From: Richard Welty <rwelty_(_at_)_averillpark_(_dot_)_net>
- Date: Tue, 26 Feb 2002 11:16:32 -0500 (EST)
On Tue, 26 Feb 2002 14:12:37 +0100 Arvid Grøtting <arvidg_(_at_)_netfonds_(_dot_)_no> wrote:
> Without looking at the PF configuration details, are you sure you want
> to recommend a solution that doesn't put a firewall between the
> Internet and the DMZ?
point taken. normally, i put a fair bit of packet filtering in the router
between the DMZ and the internet, and clamp down tight on the (unix based)
hosts in the DMZ, so the motivation to go to the three legged design isn't
as great. folks who are stuck with M$ product in the DMZ may not be able to
clamp down adequately.
baring any technical mistakes in my document, i'll probably put a note in
about the three legged design having some advantages, and promise a follow
up version of the document at a later date which includes such a design.
my principal goal in this document was to show the pf and nat rules and
how they interact, and not to provide a best-of-breed design.
Richard Welty rwelty_(_at_)_averillpark_(_dot_)_net
Averill Park Networking 518-573-7592
Unix, Linux, IP Network Engineering, Security
Visit your host, monkey.org