Date: Fri, 09 Dec 2005 21:11:04 +0530 From: GobbleDeGeek <gobbledegeek@gmail.com> To: Marcus Franke <MFranke@evendi.de>, freebsd-pf@freebsd.org Subject: Re: AW: freebsd-pf Digest, Vol 64, Issue 5 Message-ID: <4399A590.4040704@gmail.com> In-Reply-To: <AE41C3C123D61B45B457F3037275842F1E090F@DC-EX-001.evendi.local> References: <AE41C3C123D61B45B457F3037275842F1E090F@DC-EX-001.evendi.local>
next in thread | previous in thread | raw e-mail | index | archive | help
Thats a good feature. My idea about over-riding local with remote policy is to minimize local per host configuration effort - in the absence of a centralized configuration tool. With the interface up and running, we don't want a liberal local policy even for a 30-40 seconds, while remote policy is being downloaded... although this concern is more about viruses that pf may not filter anyways... Rgrds Marcus Franke wrote: > Hello, > > This is the way Windows does its policy management. > > First the local ruleset will be read, then according the location > of the computer in the ldap tree and policy rules that are connected > to these nodes will be read. > > Those rules that are nearer to the computer account will overwrite those > being "far away". > > Windows knows an option "no overwrite" you can set. When this option > is set, the policy won't be overwritten by those closer to the computer > account in the directory structure. > > Works good, as far as I have used it so far.. > > >>-----Ursprüngliche Nachricht----- >>Von: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-pf@freebsd.org] Im >>Auftrag von GobbleDeGeek >>Gesendet: Freitag, 9. Dezember 2005 14:25 >>An: freebsd-pf@freebsd.org >>Betreff: Re: freebsd-pf Digest, Vol 64, Issue 5 >> >>I agree. One way out is to setup each machine with a default tight local >>policy that only allows access to the local "remote file system" (sic!) >>then read in the more liberal site-wide policy to replace the existing >>one... this will mean an nfs mount or a one-way rsync ... and a simple >>per machine ruleset blocking everything >>but the firewall policy servers nfs or rsync... any other ideas ?? >> >>Rgrds >> >>>I would admit to this, but I am the only person usign these boxes. >>> >>>One is my machine in the office the other one is at home. >>> >>>Concerning the manageability I would say, yes, you are right. One >>>should invent a solution like the manageability of WinXP SP2 with >>>the help of the ActiveDirectory in a windows server domain. >>> >>>One ruleset for all boxes. >>> >>>But, often you read that attacks against servers will be done from >>>the inside network. >>> >>> >>> >>>Marcus >>> >> >>_______________________________________________ >>freebsd-pf@freebsd.org mailing list >>http://lists.freebsd.org/mailman/listinfo/freebsd-pf >>To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org" > >
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4399A590.4040704>