Date: Sat, 21 Feb 2004 03:57:13 +0100 From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> To: "VA" <listat@synty.net>, <freebsd-isp@freebsd.org> Subject: RE: firewalling policy Message-ID: <C52F34106949174F9D92F96C2411AAA9043336@exchange.wanglobal.net>
index | next in thread | raw e-mail
> What is the best point to firewall? Naturally default block > strategy assumed. I know each interface need rules to achieve > good security, but what about external interface (WAN link)? > Is it safe just to firewall each internal interface, because > otherwise I need "double rules" and it get's more complicated. > > Any other hints to give or good optimized examples for pf in > larger enviroment? I will surely make a public document once > I get this up and running. > Thanks in advance and specially all you developers of this great OS! > I pretty much always go for a setup in this order and i always group my rules by first incoming and then outgoing per interface; a) drop all attempts at spoofing b) no redundancy (duplicate rules) c) block/accept packets as early as possible (preferably on incoming) This method leaves few rules on outgoing segments and usually only for the local rules for the firewall and makes efficient use of state tables. With a large ruleset it becomes difficult to maintain anything with duplicate rules. If this is about a firewalling/routing internet traffic (public ip addresses) i would be extra careful about sources you can not trust when it comes to keeping state. a SYN attack or multiple instances of a virus like blaster can make the firewall slow or at worst unresponsive/crash. Good luck with the firewall! _// Sten Daniel Sørsdalhelp
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C52F34106949174F9D92F96C2411AAA9043336>