From owner-freebsd-pf@FreeBSD.ORG Sun Dec 11 07:41:18 2005 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id E1FA616A41F for ; Sun, 11 Dec 2005 07:41:17 +0000 (GMT) (envelope-from solinym@gmail.com) Received: from wproxy.gmail.com (wproxy.gmail.com [64.233.184.201]) by mx1.FreeBSD.org (Postfix) with ESMTP id 6ACFC43D58 for ; Sun, 11 Dec 2005 07:41:17 +0000 (GMT) (envelope-from solinym@gmail.com) Received: by wproxy.gmail.com with SMTP id 67so1545345wri for ; Sat, 10 Dec 2005 23:41:16 -0800 (PST) DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=beta; d=gmail.com; h=received:message-id:date:from:to:subject:in-reply-to:mime-version:content-type:content-transfer-encoding:content-disposition:references; b=DQ8uUiOMiMhovqe3dwAH1mUHe6rfzfjbQo1cv1NBKaCmiKfzyr2AigmD6gtkcKuvOCBMqRVeiVllMwm2Mpqdf6qQhCYQm5SYXJ1oazd4Z89IR0YFdPCVR61HchFqJdmFzC8d95spjMZQZ25ARIFQK3c6aDQuBwW6sIAE6u+RkeA= Received: by 10.54.119.3 with SMTP id r3mr7708651wrc; Sat, 10 Dec 2005 23:41:16 -0800 (PST) Received: by 10.54.78.20 with HTTP; Sat, 10 Dec 2005 23:41:16 -0800 (PST) Message-ID: Date: Sun, 11 Dec 2005 01:41:16 -0600 From: "Travis H." To: freebsd-pf@freebsd.org In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Content-Disposition: inline References: Subject: Re: Firewall concepts X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 11 Dec 2005 07:41:18 -0000 On 12/8/05, Marcus Franke wrote: > > A firewall on every pc will soon become a nightmare to manage as the > > network grows. Not necessarily. If the needs of the machines do not change, then there is no change to manage. Your pf rules, in theory, can be quite simple, and adjustments can be made on an as-needed basis. The main problem comes when they need to offer some kind of service that requires inbound connections, such as traditional servers, some multimedia and p2p protocols. The question is, are those changes going to be applied to all machines, or just one at a time? If the former, than having a global, shared ruleset is the way to go. If the latter, then having an independent per-machine configuration file is the way to go. You can even implement a middle ground by use of anchors or textual inclusion using some kind of preprocessor (email me if you want a copy of one). > Concerning the manageability I would say, yes, you are right. One > should invent a solution like the manageability of WinXP SP2 with > the help of the ActiveDirectory in a windows server domain. *shudders* I've never been exactly sure what problem "the registry" or "active directory" solves. The former is a hierarchical namespace containing configuration information, which sounds like a filesystem to me. What program variables are considered "configurable" seems somewhat arbitrary. Can you explain what problem ActiveDirectory solves? I'm willing to bet if you can tell me the requirements, I can point you to an open-source solution. There is something called OpenLDAP... > But, often you read that attacks against servers will be done from > the inside network. Indeed, a firewall on every machine is the only way to implement the "principle of least privilege" in many cases. Trying to centralize access control on one firewall machine is a useful idiom, but can become challenging as the links to "untrusted" networks increases, for example when some internal user installs a modem or WAP. Now the outside world has equivalent access to what was a trusted insider. Furthermore, having a single firewall provides a single point of failure; if it dies, no packets flow. And other issues can combine to make a centralized gateway impractical. For most users bandwidth of the firewall isn't an issue, but a single full-duplex gigiabit ethernet link can saturate a 32-bit 33MHz PCI bus to capacity. In reality you can start seeing dropped packets as low as 200-300Mbps, and without selective acknowledgements the performance of TCP really suffers in the face of dropped packets. If increasing bandwidth doesn't do it, end-to-end encryption with be the death knoll of a centralized firewall or NIDS system, as the ports used and application data will be unavailable to any system in the middle (unless of course all systems escrow their keys with the firewall or gateway, which is complex and problematic and defeats the purpose of end-to-end encryption). -- http://www.lightconsulting.com/~travis/ -><- Knight of the Lambda Calculus "We already have enough fast, insecure systems." -- Schneier & Ferguson GPG fingerprint: 50A1 15C5 A9DE 23B9 ED98 C93E 38E9 204A 94C2 641B