Re: AW: freebsd-pf Digest, Vol 64, Issue 5

Fri, 09 Dec 2005 07:45:50 -0800

Thats a good feature. My idea about over-riding local with remote policy is to minimize local per host configuration effort - in the absence of a centralized configuration tool. With the interface up and running, we don't want a liberal local policy even for a 30-40 seconds, while remote policy is being downloaded... although this concern is more about viruses that pf may not filter anyways... 

Rgrds

Marcus Franke wrote:

Hello,

This is the way Windows does its policy management.

First the local ruleset will be read, then according the location
of the computer in the ldap tree and policy rules that are connected
to these nodes will be read.

Those rules that are nearer to the computer account will overwrite those
being "far away".

Windows knows an option "no overwrite" you can set. When this option
is set, the policy won't be overwritten by those closer to the computer
account in the directory structure.

Works good, as far as I have used it so far..



-----Ursprüngliche Nachricht-----
Von: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Im
Auftrag von GobbleDeGeek
Gesendet: Freitag, 9. Dezember 2005 14:25
An: [email protected]
Betreff: Re: freebsd-pf Digest, Vol 64, Issue 5

I agree. One way out is to setup each machine with a default tight local
policy that only allows access to the local "remote file system" (sic!)
then read in the more liberal site-wide policy to replace the existing
one... this will mean an nfs mount or a one-way rsync ... and a simple
per machine ruleset blocking everything
but the firewall policy servers nfs or rsync... any other ideas ??

Rgrds


I would admit to this, but I am the only person usign these boxes.

One is my machine in the office the other one is at home.

Concerning the manageability I would say, yes, you are right. One
should invent a solution like the manageability of WinXP SP2 with
the help of the ActiveDirectory in a windows server domain.

One ruleset for all boxes.

But, often you read that attacks against servers will be done from
the inside network.



Marcus



_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"




_______________________________________________
[email protected] mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to