[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openbsd-pf
Subject:    Re: ruleset for transparent bridge with 4 interfaces  & stateful filt ering..
From:       Daniel Hartmeier <daniel () benzedrine ! cx>
Date:       2002-07-30 8:24:42
[Download RAW message or body]

On Tue, Jul 30, 2002 at 05:13:44PM +1000, Adrian Buxton wrote:

> Before having a look, these are a couple of things I've learnt thus far.
> Firstly, because the bridge has > 2 interfaces, it is not possible just to
> pass traffic on one interface and filter on the other. Secondly, due to this
> there are two keep state rules required per connection.

Yes, that's correct.

> ### default block stance
> 
> block in all
> block out all

This is a good start. You have to keep in mind that you're block all
traffic on all interfaces in all directions with this. This means that
for every connection you want to allow through, you have to pass it in
on the interface it comes in on _and_ the interface it passes out of,
which means generally two keep state rules, as you already mentioned.

> ### corp_if rules ###
> 
> # allow corporate network anywhere
> pass in on $corp_if proto tcp from $corp_net to any flags S keep state
> pass in on $corp_if proto { udp, icmp } from $corp_net to any keep state

These are the only two rules that apply to $corp_if explicitely, and
they only deal with packets coming in on that interface. This means that
you're not passing any connections _out_ through $corp_if.

If that's intentional (i.e. none of the the other networks should be
able to connect into $corp_net), that's fine, of course.

> Feel free to offer suggestions and comments! Daniel, any thoughts? Would
> using 'quick' rules in certain places me rule parsing faster?

I wouldn't make the rule set more complicated before you're actually
forced to (because rule set evaluation turns out to be too slow). Some
people use 'quick' because they feel more comfortable with 'final'
rules, so they don't have to think about how one rule is overridden by
later rules. In your rule set, I think overriding is used pretty
straight forward, and you obviously understand how it works, so I don't
think you should use 'quick' just for the sake of it.

As with any non-trivial rule set, it's always a good idea to verify the
filter by trying several different valid and invalid connections
(between all networks, in your case) and see if the right ones are
blocked.

I'd recommend you express the general policy ('everything should be
blocked, except for the following connections: $corp_net may connect
into $dmz_net using tcp/udp/icmp, etc.') and put that as a comment.
Without that information, it's impossible to tell whether the rule set
implements your policy, I could only guess your policy from the rule
set, and couldn't detect differences, of course :)

Daniel

[prev in list] [next in list] [prev in thread] [next in thread]