Date: Sat, 13 Sep 2008 18:14:24 -0700 From: "David Allen" <the.real.david.allen@gmail.com> To: freebsd-pf@freebsd.org Subject: Writing DMZ rulesets Message-ID: <2daa8b4e0809131814x5d396199x81f6167e8b766fd8@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Apologies if this question falls into the obvious category, but I'm
wondering how rulesets are/should be written for DMZ scenarios. For
example:
ext_if = "fxp0"
dmz_if = "fxp1"
int_if = "fxp2"
nameservers = "{ 192.168.1.2, 192.168.1.3 }"
pass in on $ext_if { tcp, udp } from any to $nameservers port 53
pass out on $dmz_if { tcp, udp } from any to $nameservers port 53
pass in on $dmz_if { tcp, udp } from $nameservers port 53 to any
pass in on $dmz_if { tcp, udp } from $nameservers to any port 53
pass out on $ext_if { tcp, udp } from $nameservers port 53 to any
pass out on $ext_if { tcp, udp } from $nameservers to any port 53
Am I being redundant or excessively restrictive?
And assuming that "keep state" is implicit, does this mean that a state
entry will be created for each interface?
Thanks.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?2daa8b4e0809131814x5d396199x81f6167e8b766fd8>