* Daniel C. Sinclair <daniel.c.sincl...@gmail.com> [2011-01-11 09:46]:
> On Mon, Jan 10, 2011 at 3:52 PM, Henning Brauer <lists-open...@bsws.de>
> wrote:
> > * Daniel C. Sinclair <daniel.c.sincl...@gmail.com> [2011-01-10 21:56]:
> >> In my case I consider all sides of the firewall hostile - I want to
> >> protect the internet from the machines on my network just as much as I
> >> want to protect those machines from the internet. So there isn't
> >> really an inside and outside.
> > that doesn't change a thing. same here. there still is inside and
> > outside, just none considered "safe".
> From the firewalls point of view interfaces are not inside or outside
> - they are just interfaces with some network behind them.
sigh.
you can continue to twist words, or you can solve your problem. if you
prefer to twist words I'm out.
internet OUTSIDE
firewall
shitloads of vlans INSIDE
whoever thinks inside implies trust is on drugs anyway.
and that "internet" in my case connects to my own infrastructure
including other openbsd boxes doesn't make a difference either.
> > i express all policy on the (many many many, in my case) "inside"
> > interfaces.
> >> I also want netflow for all traffic
> >> that goes through the firewall - not just to/from the internet but
> >> also dmz to dmz.
> > see? another point for doing it on the "inside" interfaces.
> Where do you put the 'keep state(pflow)'?
just one spot.
ks = "keep state(pflow)"
doubt that helped you know tho
> Do you have to add it to more than one rule?
me? yes.
> In my case I always want pflow on everything and
> I prefer to eliminate the chance that I (or someone else) forget to
> add it somewhere. Adding it on the single 'pass out' rule keeps
> things simple.
aha. you want fine grained (because otherwise you get it twice, bu
definition), but you only want to use one giant global hammer. now
that is going to work out.
> Feel free to give an example. I'm sure many people would like to see
> how you use pf. :)
i'm not going to post my production rulesets. i already said how I'm
doing things, and I am under the impression that was pretty
straightforward.
heck, here's one.
block
pass in on egress to $mynetworks
pass out on vlan proto tcp to port { 80 443 } $ks
making this more fine grained, add fw self protection, spoof
protection, the set skips for loopback, pfsync and the physical if
under the vlans and allowing the INSIDE machines to initiate
connections to the OUTSIDE is left as excercise to the reader.
--
Henning Brauer, h...@bsws.de, henn...@openbsd.org
BS Web Services, http://bsws.de
Full-Service ISP - Secure Hosting, Mail and DNS Services
Dedicated Servers, Rootservers, Application Hosting
