Strength of 3 NIC firewall (was Re: IP addressing on firewall)

[horio shoichi]

Mikael Olsson wrote: > > > By the way, this is the kind of firewall that I like. Separate > machines are great. I spit in the face of all do-everything-on-the- > same-machine type guys! Pah! :) :) > Recently, I came to think 3 NIC firewall is not as bad as I originally thought. As I read your message, 3 NIC firewall is a do-everything-on- the-same-machine, (I hope correct). So I borrow this opportunity to what you experts think about my idea. 3 NIC firewall is often used for small firewall configurations. It has three interfaces, in0, ext0, and dmz0 (I think their meanings are obvious). Such machine's major filtering capability is populated mostly on ext0. Using ipfilter, the ruleset is expressed as: pass in all pass out all block in on ext0 all pass out quick on ext0 proto tcp/udp keep state ... (dmz0 and in0 rules) (I have pruned many important details for clarity. Bear me.) In this style of filtering, there is no default block against incoming connection from dmz, so that rules for interactions between in0 and dmz0 become more or less ad hoc. This style of filtering is certainly weak. However there is a way to set it up default block all incoming connections for internal nets point of view. Here is the ruleset, again with ipfilter: block in all block out all pass in quick on in0 proto tcp/udp keep state ... (dmz0 and ext0 rules) The two rulesets are, if there is no dmz0 interface, equivalent as seen from outside. But this ruleset is sharply different from the former in that it doesn't trust any packet within the firewall machine. I don't know other filtering software has similarly weird keep state rule and has the capability to simulate routing behavior as ipfilter does. Aside from this issue, 3 NIC firewall seems to be able to be tight enough with ipfilter. Comments ? horio shoichi - [To unsubscribe, send mail to [EMAIL PROTECTED] with "unsubscribe firewalls" in the body of the message.]