* Daniel C. Sinclair <daniel.c.sincl...@gmail.com> [2011-01-10 21:56]: > On Wed, Jan 5, 2011 at 10:15 AM, Henning Brauer <lists-open...@bsws.de> wrote: > > * Bernd Bornkessel <bbornkes...@dunkel.de> [2011-01-05 11:59]: > >> In pf's state table I see two records - one for each direction of the > >> connection. > > > > and the accumulated data from the state is what pflow exports, so it > > is all as intended. > > > > usually, you do your real filtering on one side of the firewall > > (usually there are areas that can be called "inside" and "outside" - > > tho in some cases, there are many many inside networks, countless > > vlans in my case). the other side you do some antispoof and firewall > > self-protection. pick one side for pflow. > > In my case I consider all sides of the firewall hostile - I want to > protect the internet from the machines on my network just as much as I > want to protect those machines from the internet. So there isn't > really an inside and outside.
that doesn't change a thing. same here. there still is inside and outside, just none considered "safe". i express all policy on the (many many many, in my case) "inside" interfaces. > I also want netflow for all traffic > that goes through the firewall - not just to/from the internet but > also dmz to dmz. see? another point for doing it on the "inside" interfaces. -- Henning Brauer, h...@bsws.de, henn...@openbsd.org BS Web Services, http://bsws.de Full-Service ISP - Secure Hosting, Mail and DNS Services Dedicated Servers, Rootservers, Application Hosting