Thread: testing pf rulesets
View Single Post

   
  #8 (permalink)  
Old 02-16-2008, 08:29 AM
jKILLSPAM.schipper@math.uu.nl
 
Posts: n/a
Default Re: testing pf rulesets
Igor Sobrado <igor@nospam.invalid> wrote:
> jKILLSPAM.schipper@math.uu.nl wrote:
>>
>> If you mean what I think you mean, it's quite easy. Most pf rulesets I
>> write are variants on the following:
>>
> [...]
>>
>> Of course, the above is simplistic - one often needs NAT, usually
>> ftp-proxy (note this has been rewritten for 3.9; I'm not sure what
>> version is used by other systems, if any), and so on - but it does show
>> that filtering both incoming and outgoing traffic is quite easy.
>>
>> A more usual setup is to 'pass all on $int_if' and then filter on the
>> outgoing interface; this is quicker, I suppose, but some care needs to
>> be taken not to open up the internal interface of the firewall to the
>> entire network - not that that is too dangerous, but it isn't required.
>
> Hi, Joachim.
>
> An *excellent* advice, indeed! Certainly logging all traffic by default
> is very useful (someone can miss, we say, some rules for the resolver).
> Mistakes will be quickly discovered by logging all blocked traffic.
> I will print your post right now and store it for future reference.
>
> The skeleton you provided is an exceptional starting point for a firewall.
> Thanks again!
>
> I think that I will not care about NAT at this level, I have a soekris
> net4801 (currently running 3.9) that will perform this task better.
> In fact, I am planning to add some subnets to that excellent embedded
> computer too (it has an additional two-port NIC installed). I am
> just waiting until an appropriate 2.5" HDD arrives (it currently has
> a 60 GB Travelstar drive, I have just asked for a 40 GB enhanced
> availability drive... SMART starts complaining about the time the HDD
> is turned on!). I want to have NAT and a decent ruleset when the new
> HDD arrives, as the machine should stay up 24/7.

For maximum reliability, one could consider carp(4), pfsync(4), and
such. More information can be found in the FAQ. (Disclaimer: while this
should work really well, one should probably run -current if one wishes
to use sasyncd(8), and I do not have personal experience with either.)

Joachim
Reply With Quote