On Tue, Dec 10, 2002 at 01:02:21AM +1100, Benjamin M.A. Robson wrote:
> > no filtering on dc1 at all.
>
> Not filtering on any interface is a -very- bad idea. As if the scenario
> was that I had 3
> interfaces, and I only filtered on the Internet interface, I now have no
> access control between the
> 2nd and 3rd interfaces.
it depends on the "level" of control you want to have on each interface.
since I started using PF, I adopted the "Cisco" filtering philosophy.
That is, give a "virtual" level to each interface:
- internal interface is trusted
- external interface is untrusted
- the other ifs somewhere in between
here is how it is implemented on one of my gws:
# allow anything in/out from the internal interface
pass in quick on $internal_if all
pass out quick on $internal_if all
# block attempted access from the dmz to the internal network
# but let answers go back to the internal net
pass out quick on $dmz_if proto tcp from $internal_net to $dmz_net \
flags S keep state
pass out quick on $dmz_if proto { udp, icmp } from $internal_net to \
$dmz_net keep state
block in log quick on $dmz_if from $dmz_net to $internal_net
# let anything in/out to/of the dmz interface
pass in quick on $dmz_if all
pass out quick on $dmz_if all
in this example, the dmz interface is denied access to the internal
network _and_ there is no "filtering" on the internal interface. maybe
you can use this concept on your PF web interface.
--
Saad Kadhi -- [[EMAIL PROTECTED]] [[EMAIL PROTECTED]]
[pgp keyid: 35592A6D http://pgp.mit.edu]
[pgp fingerprint: BF7D D73E 1FCF 4B4F AF63 65EB 34F1 DBBF 3559 2A6D]
---
Can't fight the Systemagic
Uber tragic
