On Mon, Jan 10, 2011 at 3:52 PM, Henning Brauer <lists-open...@bsws.de> wrote: > * Daniel C. Sinclair <daniel.c.sincl...@gmail.com> [2011-01-10 21:56]: >> In my case I consider all sides of the firewall hostile - I want to >> protect the internet from the machines on my network just as much as I >> want to protect those machines from the internet. So there isn't >> really an inside and outside. > > that doesn't change a thing. same here. there still is inside and > outside, just none considered "safe".
>From the firewalls point of view interfaces are not inside or outside - they are just interfaces with some network behind them. I found pf easier to understand when I stopped thinking about inside/outside and took the same viewpoint. > i express all policy on the (many many many, in my case) "inside" > interfaces. > >> I also want netflow for all traffic >> that goes through the firewall - not just to/from the internet but >> also dmz to dmz. > > see? another point for doing it on the "inside" interfaces. Where do you put the 'keep state(pflow)'? Do you have to add it to more than one rule? In my case I always want pflow on everything and I prefer to eliminate the chance that I (or someone else) forget to add it somewhere. Adding it on the single 'pass out' rule keeps things simple. Feel free to give an example. I'm sure many people would like to see how you use pf. :) Daniel
