From owner-freebsd-isp@FreeBSD.ORG Thu Feb 19 04:54:09 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1C8C16A4D7 for ; Thu, 19 Feb 2004 04:54:09 -0800 (PST) Received: from koti.synty.net (www.svk.fi [213.173.139.102]) by mx1.FreeBSD.org (Postfix) with ESMTP id 7F59943D1D for ; Thu, 19 Feb 2004 04:54:09 -0800 (PST) (envelope-from listat@synty.net) Received: by koti.synty.net (Postfix, from userid 565) id 120BAAEA2F; Thu, 19 Feb 2004 07:54:07 -0500 (EST) Received: from localhost (localhost [127.0.0.1]) by koti.synty.net (Postfix) with ESMTP id 114F6B6954 for ; Thu, 19 Feb 2004 14:54:07 +0200 (EET) Date: Thu, 19 Feb 2004 14:54:07 +0200 (EET) From: VA To: freebsd-isp@freebsd.org Message-ID: MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Subject: firewalling policy X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: VA List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 12:54:10 -0000 Hi fellow SysAdmins, I'm building a FreeBSD route/firewall for a little heavier use. I will use pf for firewall because it's more familiar and since I need to maintain a few OpenBSD boxes as well. Anyways I was hoping to get an opinion for a firewall rule structure. There are 10 physical NICs (Intel Dual 100Mbs) and also a bunch of VLANs. What is the best point to firewall? Naturally default block strategy assumed. I know each interface need rules to achieve good security, but what about external interface (WAN link)? Is it safe just to firewall each internal interface, because otherwise I need "double rules" and it get's more complicated. Any other hints to give or good optimized examples for pf in larger enviroment? I will surely make a public document once I get this up and running. Thanks in advance and specially all you developers of this great OS! -Vesa, SysAdmin, Finland