From owner-freebsd-pf@FreeBSD.ORG Sun Sep 14 01:47:38 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id B24FC1065673 for ; Sun, 14 Sep 2008 01:47:38 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: from rv-out-0506.google.com (rv-out-0506.google.com [209.85.198.234]) by mx1.freebsd.org (Postfix) with ESMTP id 854158FC22 for ; Sun, 14 Sep 2008 01:47:38 +0000 (UTC) (envelope-from the.real.david.allen@gmail.com) Received: by rv-out-0506.google.com with SMTP id b25so1936450rvf.43 for ; Sat, 13 Sep 2008 18:47:38 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from:to :subject:mime-version:content-type:content-transfer-encoding :content-disposition; bh=uqG9ppqcNQiJ65GQpPbTHYdf0gnFO/EfXb6l4o5/8oo=; b=slRy8Knn4tFUBkLRkL7FQu8iE3ebGIaTqktOHmgoanR0fs8TRRSInot+aJ+9br16zO XXeGRXxmC5hgg6Nc/TzqiBEVaPpm+J82ICSYgrQBD3beLeDbtK69b0r0Ry7/XQyw2E6E 3uovKZXbeuXvIG7CenuH30eRpzhwCL3IzK1kY= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:to:subject:mime-version:content-type :content-transfer-encoding:content-disposition; b=EE+fMD/Z1iJRZPbIFOYN/lav8daV+uI0C/vBRrS75lhN99DRMAJR8imcP8CNaYEOyC wfq/ZBuifeHOifkomm6Ce6cNvsgnCc7YtfuEKI0h5eE/0FzufBLp/nZIBnKvTCtW8Bb3 RgUh8elq+SD/7N4whVRzqgZUxfC6vyJgBgEtk= Received: by 10.114.161.11 with SMTP id j11mr4800496wae.105.1221354864418; Sat, 13 Sep 2008 18:14:24 -0700 (PDT) Received: by 10.114.47.16 with HTTP; Sat, 13 Sep 2008 18:14:24 -0700 (PDT) Message-ID: <2daa8b4e0809131814x5d396199x81f6167e8b766fd8@mail.gmail.com> Date: Sat, 13 Sep 2008 18:14:24 -0700 From: "David Allen" To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Content-Disposition: inline Subject: Writing DMZ rulesets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Sep 2008 01:47:38 -0000 Apologies if this question falls into the obvious category, but I'm wondering how rulesets are/should be written for DMZ scenarios. For example: ext_if = "fxp0" dmz_if = "fxp1" int_if = "fxp2" nameservers = "{ 192.168.1.2, 192.168.1.3 }" pass in on $ext_if { tcp, udp } from any to $nameservers port 53 pass out on $dmz_if { tcp, udp } from any to $nameservers port 53 pass in on $dmz_if { tcp, udp } from $nameservers port 53 to any pass in on $dmz_if { tcp, udp } from $nameservers to any port 53 pass out on $ext_if { tcp, udp } from $nameservers port 53 to any pass out on $ext_if { tcp, udp } from $nameservers to any port 53 Am I being redundant or excessively restrictive? And assuming that "keep state" is implicit, does this mean that a state entry will be created for each interface? Thanks.