Date: Sat, 21 Feb 2004 03:57:13 +0100 From: =?iso-8859-1?Q?Sten_Daniel_S=F8rsdal?= <sten.daniel.sorsdal@wan.no> To: "VA" <listat@synty.net>, <freebsd-isp@freebsd.org> Subject: RE: firewalling policy Message-ID: <C52F34106949174F9D92F96C2411AAA9043336@exchange.wanglobal.net>
next in thread | raw e-mail | index | archive | help
> What is the best point to firewall? Naturally default block=20 > strategy assumed. I know each interface need rules to achieve=20 > good security, but what about external interface (WAN link)? =20 > Is it safe just to firewall each internal interface, because=20 > otherwise I need "double rules" and it get's more complicated. >=20 > Any other hints to give or good optimized examples for pf in=20 > larger enviroment? I will surely make a public document once=20 > I get this up and running. > Thanks in advance and specially all you developers of this great OS! >=20 I pretty much always go for a setup in this order and i always group my rules by first incoming and then outgoing per interface; a) drop all attempts at spoofing b) no redundancy (duplicate rules) c) block/accept packets as early as possible (preferably on incoming) This method leaves few rules on outgoing segments and usually only for=20 the local rules for the firewall and makes efficient use of state = tables. With a large ruleset it becomes difficult to maintain anything with duplicate rules.=20 If this is about a firewalling/routing internet traffic (public ip = addresses) i would be extra careful about sources you can not trust when it comes = to=20 keeping state. a SYN attack or multiple instances of a virus like = blaster=20 can make the firewall slow or at worst unresponsive/crash.=20 Good luck with the firewall! _// Sten Daniel S=F8rsdal
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?C52F34106949174F9D92F96C2411AAA9043336>