On 09/12/2009 03:50:54 PM, Daniel Malament wrote:
> 1) The big one is what I would call the 'double state problem'. It
> seems to me that the big disadvantage of a default-deny ruleset is
> that
> because explicit pass rules are required on all interfaces, traffic
> passing through the firewall machine needs state on all interfaces.
...
> The most obvious benefit of a default-deny ruleset is that it saves
> you
> if you make a block rule too narrow, or comment it out by accident or
> something.
The big benefit of default-deny is that you're sure you know what
traffic you are passing.
But is there a way to have only one state per connection
> with a default-deny ruleset? And if not, does it ever actually
> matter,
> or am I just being pedantic?
You have a choice.
set state-policy if-bound|floating
Whether it matters or not depends on your application. It surely
can matter, e.g. with muti-homed hosts where replies may come in
an interface other than the one out which the request was sent.
OTOH if you're gatewaying multiple very different networks you may want
things locked down tightly with state bound to the interfaces
because there's no way such traffic should be allowed.
> 2) The other (shorter) question:
> If I want one of my internal networks to be able to access the
> internet,
> but not be able to access my other internal networks, is
...
> better or worse in speed and resources than
I don't know. My general rule is that unless performance is
really an issue it's a lot more important to write programs/
configurations in a way that people can read than it is to
write them so that they are executed optimally. If nobody
can read the file then it's useless.
> table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 }
> pass in on $int_net3 from any to <non_local>
At first glance, this won't work. An address in
$int_net1 will match !$int_net2 and so will pass
and vice versa. My brain is full right now so I
could be wrong but I am sure there are issues just
like this with ! to watch out for.
Regards,
Karl <k...@meme.com>
Free Software: "You don't pay back, you pay forward."
-- Robert A. Heinlein
