On Fri, 09 Sep 2005 09:39:00 +0200, Guido Tschakert wrote:
>Stephan A. Rickauer wrote:
>> Gaby vanhegan wrote:
>>
>>> Yes, correct, my bad... Or perhaps this would work also:
>>>
>>> block out on $if_dmz keep state
>>> pass out on $if_dmz from {$if_lan, $if_inet} to 1.2.3.4 port smtp
>>> keep state
>>>
>>> Maybe that was what I intended to write... :)
>>
>>
>> Ok, I am now playing with 'fwbuilder' to see how the generated pf rules
>> look like. Presumably, they won't be structured as efficiently as if one
>> writes them by hand - but managing hundreds of rules manually is a
>> nightmare ...
>>
>> Thanks so far,
>>
>Hello,
>
>I think you know the following, but nevertheless its important if you
>port your rules from netfilter to pf.
>
>In netfilter nat and filter rules are checked with:
>first match wins.
>
>In pf nat rules also the first match wins
>
>__but__
>
>in pf filter rules the __last__ match wins.
>
>In fact that is the one thing I don't like in pf, but to have a "first
>match win" you can use the magic word quick in all your pass and block
>rules. (e.g "pass in quick")
And thereby end up with yards of quick rules that can catch you later.
You should think of it this way:
Default security is best with block everything and then pass what
selected few things you need.
So:
block all
pass in on $int_if from $safe1 to $ok2 keep state
pass in on $ext_if from any to $ext_if port ssh keep state
really makes a readable and logical arrangement to those of us who were
taught the block all, pass few security policy.
Now the example above is waaaaaay briefer than most useful rulesets but
working from the principle I described adding necessary rules is not
difficult and thoughtful grouping with whitespace between grouped rules
makes for easier reading.
I have a firewall with 3 ethernet NICs and a wi-fi card. There is a DMZ
with servers in it, there are restrictions on some LAN hosts and the
wi-fi has authpf statements. The spamd rules and tables needed to do
greylisting and tarpitting are in there too.
The total line count is 71 with many blank lines for readability and
about 16 macro definitions. There are (IIRC) about 3 "quicks" in it, 2
of which are for the loopback and one just blocks a single IP that
tries DOS attacks now and then.
I'd hate to see it written with a yard of "quick" pass rules
terminated with a block all. Forget to write that rule and you are wide
open. Put it at the top and it is pretty hard to leave it out. See the
default pf.conf where all you need to do is uncomment it at the top of
the filter rules.
>
>guido
>
>
>From the land "down under": Australia.
Do we look <umop apisdn> from up over?
Do NOT CC me - I am subscribed to the list.
Replies to the sender address will fail except from the list-server.
