From owner-freebsd-isp@FreeBSD.ORG Thu Feb 19 08:49:07 2004 Return-Path: Delivered-To: freebsd-isp@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 9E42116A4CE for ; Thu, 19 Feb 2004 08:49:07 -0800 (PST) Received: from networld.psi.br (unknown [200.181.21.35]) by mx1.FreeBSD.org (Postfix) with ESMTP id E557743D1F for ; Thu, 19 Feb 2004 08:49:06 -0800 (PST) (envelope-from felipe@neuwald.biz) Received: from [200.101.110.166] (account felipe@neuwald.biz HELO [10.1.1.3]) by networld.psi.br (CommuniGate Pro SMTP 4.1.8) with ESMTP id 2561697; Thu, 19 Feb 2004 13:48:40 -0300 From: Felipe Neuwald To: VA , freebsd-isp@freebsd.org In-Reply-To: References: Content-Type: text/plain; charset=ISO-8859-1 Message-Id: <1077209435.286.6.camel@buscape.freebsd> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.5 Date: Thu, 19 Feb 2004 13:50:38 -0300 Content-Transfer-Encoding: quoted-printable Subject: Re: firewalling policy X-BeenThere: freebsd-isp@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list Reply-To: felipe@neuwald.biz List-Id: Internet Services Providers List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 19 Feb 2004 16:49:07 -0000 Hi VA, On Thu, 2004-02-19 at 09:54, VA wrote: > Hi fellow SysAdmins, >=20 > I'm building a FreeBSD route/firewall for a little heavier use. I will us= e=20 > pf for firewall because it's more familiar and since I need to maintain a= =20 > few OpenBSD boxes as well. >=20 > Anyways I was hoping to get an opinion for a firewall rule structure. > There are 10 physical NICs (Intel Dual 100Mbs) and also a bunch of VLANs. >=20 > What is the best point to firewall? Naturally default block strategy=20 > assumed. I know each interface need rules to achieve good security, but=20 > what about external interface (WAN=20 > link)? Is it safe just to firewall each internal interface, because=20 > otherwise I need "double rules" and it get's more complicated. Make your firewall and your network secure from outside creating rules applicable to your WAN interface. You have more 9 other interfaces, so, make the rules according to networks and hosts that will be behind this interfaces. The best phrase that I ever listened about the free software world: read, write and execute... a thousand times... :-) > Any other hints to give or good optimized examples for pf in larger=20 > enviroment? I will surely make a public document once I get this up and=20 > running. > Thanks in advance and specially all you developers of this great OS! >=20 > -Vesa, SysAdmin, Finland > _______________________________________________ > freebsd-isp@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-isp > To unsubscribe, send any mail to "freebsd-isp-unsubscribe@freebsd.org" --=20 Felipe Neuwald felipe@neuwald.biz "Mi espada desconocer=E1 su funda, mientras dure el oprobio y la injusticia que sojuzga a mi pueblo" Sim=F3n Bol=EDvar