> Before having a look, these are a couple of things I've learnt thus far.
> Firstly, because the bridge has > 2 interfaces, it is not possible just to
> pass traffic on one interface and filter on the other. Secondly,
> due to this there are two keep state rules required per connection.
>
> ### Define Interface aliases
> ext_if = "fxp0"
> dmz_if = "dc0"
> dev_if = "dc1"
> corp_if = "fxp1"
>
> ### Define address aliases
>
> corp_net = "{ 192.168.2.0/24, 192.168.3.0/24, 192.168.4.0/24,
> 192.168.5.0/24, 192.168.6.0/24, 192.168.7.0/24, 192.168.8.0/26 }"
> dev_net = "{ 192.168.77.128/25 }"
> dmz_net = "{ 192.168.78.208/29, 192.168.191.64/26 }"Maybe you could try 10. IPs They are more user-friendly... > > ### default block stance > > block in all > block out all > > [...] > > --ends-- > > Feel free to offer suggestions and comments! Well, first of all a lot of antisp00f stuff are missing. Also egress filtering could be wanted. You said that other things will be added, so I'll do not add any rules, however I think these rules are good for a filter not for a firewall. I mean they filter, but don't use all the power of THE Packet Filter. > Would using 'quick' rules in certain places me rule parsing faster? quick everywhere is faster in rules evaluation not parsing... Bye. Ed
