From owner-freebsd-pf@FreeBSD.ORG Thu Dec 8 12:35:43 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id D084A16A425 for ; Thu, 8 Dec 2005 12:35:43 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: from zproxy.gmail.com (zproxy.gmail.com [64.233.162.194]) by mx1.FreeBSD.org (Postfix) with ESMTP id B43B143D7C for ; Thu, 8 Dec 2005 12:35:29 +0000 (GMT) (envelope-from gobbledegeek@gmail.com) Received: by zproxy.gmail.com with SMTP id l1so623263nzf for ; Thu, 08 Dec 2005 04:35:29 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:mime-version:content-type:content-transfer-encoding:content-disposition; b=fodUe+t4O7411yxxp0wftLBEWyd5DCZjvWigAd2V0M7A6fmMEXd6TQET0HmnoUvj+VKfhtHZU8IZnUEligFv5JThqScVEIHoZZfde2e5/oG1DmTDizy/IlOeyS7acBcT/RXwNk+cBDboisWwfQyo5Tv7XN5DM/NRCpPJzvFtuyQ= Received: by 10.64.253.8 with SMTP id a8mr2647681qbi; Thu, 08 Dec 2005 04:35:28 -0800 (PST) Received: by 10.64.250.5 with HTTP; Thu, 8 Dec 2005 04:35:28 -0800 (PST) Message-ID: <463aea570512080435se80407bod4b1ba3bf1232059@mail.gmail.com> Date: Thu, 8 Dec 2005 18:05:28 +0530 From: Gobbledegeek To: freebsd-pf@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline Subject: Re: Firewall concepts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 08 Dec 2005 12:35:44 -0000 Hello Marcus A firewall on every pc will soon become a nightmare to manage as the network grows. You could in theory put the pf rules on a read-only remote filesystem..and have every client access to it, but thats if you have time for such tricks... The internet gateway is the place to put your firewall - the one that has the direct connection to the internet. And make sure no one can unplug it from the network, or shut down the pf even temporarily. Rgrds > Would it be necessary to use a firewall on my client? I like the > concept of disabling unused services and even binding them to > interfaces where they belong to and do not expose them to everyone > on the local net by binding them to localhost. Kind of an heretic > question, but I am missing the clue where to start.. > > regards, > Marcus > -- Nonchalantly yours GobbledeGeek [Everything but Gobbledegook.. !!]