[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: OpenBSD Firewalls



On Wed, Oct 02, 2002 at 09:32:24AM -0500, Mike Shaw wrote:
> At 09:44 PM 10/1/2002 -0700, S9 wrote:
> >> my rules are becoming very complex and I am afraid
> >> of start making mistakes because of the complexity
> >> of my rules.
> >
> >how complex? Even in large deployment scenarios,
> >I've found ways to keep firewalls manageable
> >one way or another by using preset interface
> >security levels (a Cisco PIXish notion). Implementing
> >it in pf is just a matter of default block statements.
> 
> Do you mind forwarding some cleansed examples?  I'm interested in the nuts 
> and bolts of how you are doing this.

# default rules
block in log from any to any
block out log from any to any

# trusted 
pass in quick on $internal_nic  from $internal_net  to any
pass out quick on $internal_nic from any to $internal_net

# trusted access to semi-trusted
pass out quick on $dmz_nic proto tcp from $internal_net to $dmz_net flags S \
keep state
pass out quick on $dmz_nic proto { udp, icmp } from $internal_net to $dmz_net \
keep state

# no access from semi-trusted to trusted
block in log quick on $dmz_nic from $dmz_net to $internal_net

# semi-trusted access to untrusted
pass in quick on $dmz_nic from $dmz_net to any
pass out quick on $dmz_nic from any to any

...etc



 
-- 
Saad Kadhi -- [saad_(_at_)_docisland_(_dot_)_org] [bsdguy_(_at_)_docisland_(_dot_)_org]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63  65EB 34F1 DBBF 3559 2A6D]
---
"Si ce que tu dis n'est ni beau, ni bon, ni vrai, alors tais-toi!"
							    - Socrate