On 09/12/2009 03:50:54 PM, Daniel Malament wrote: > 1) The big one is what I would call the 'double state problem'. It > seems to me that the big disadvantage of a default-deny ruleset is > that > because explicit pass rules are required on all interfaces, traffic > passing through the firewall machine needs state on all interfaces.
... > The most obvious benefit of a default-deny ruleset is that it saves > you > if you make a block rule too narrow, or comment it out by accident or > something. The big benefit of default-deny is that you're sure you know what traffic you are passing. But is there a way to have only one state per connection > with a default-deny ruleset? And if not, does it ever actually > matter, > or am I just being pedantic? You have a choice. set state-policy if-bound|floating Whether it matters or not depends on your application. It surely can matter, e.g. with muti-homed hosts where replies may come in an interface other than the one out which the request was sent. OTOH if you're gatewaying multiple very different networks you may want things locked down tightly with state bound to the interfaces because there's no way such traffic should be allowed. > 2) The other (shorter) question: > If I want one of my internal networks to be able to access the > internet, > but not be able to access my other internal networks, is ... > better or worse in speed and resources than I don't know. My general rule is that unless performance is really an issue it's a lot more important to write programs/ configurations in a way that people can read than it is to write them so that they are executed optimally. If nobody can read the file then it's useless. > table <non_local> { 0.0.0.0/0 !$int_net1 !$int_net2 } > pass in on $int_net3 from any to <non_local> At first glance, this won't work. An address in $int_net1 will match !$int_net2 and so will pass and vice versa. My brain is full right now so I could be wrong but I am sure there are issues just like this with ! to watch out for. Regards, Karl <k...@meme.com> Free Software: "You don't pay back, you pay forward." -- Robert A. Heinlein