[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: fully transparent ftp-proxy and other stories...
> > I don't understand how the ability to specify both interfaces in a
> > single rule in iptables helps you there.
> iptables allows me to neatly sidestep this issue by defining my rules
> in topological terms. I can write a rule that applies to packets sent
> from interface A to interface B without having to hardwire the list of
> networks into my packet filters.
I don't trust routing tables to influence filter rules. You set
securelevel = 2 to prevent filter rules modifications and then some BGP
fuckup opens your firewall wide open? Why do you need huge lists of
addresses in rule sets? I agree that duplicating them on multiple
interfaces is annoying, but that's what macros are for.
Ok, having thought about this a bit more, I realize I am probably
falling into the trap of trying to mentally build an OpenBSD firewall
that is structured identically to my existing Linux firewall, rather
than trying to figure out how to design an OpenBSD firewall to fit my
requirements. I'm beginning to agree that specifying both interfaces
is probably no big deal.
I currently rely on reverse path filtering to do my antispoofing, and
think in terms of static routes as being a kind of filter rule, but I
guess that's mainly because it's a lot neater and less verbose than
doing the antispoofing long hand in ipchains.
The ability to define macros in pf that expand to lists of subnets
provides me with a simple way of accomplishing the same thing.
Likewise, my complaints about the antispoofing statement stem from my
recollections of doing antispoofing via ipfwadm rules; with pf
accomplishing what I want becomes so concise that it's a non-issue.
(I still think reverse path filtering is a Good Thing, though -- and I
couldn't find any mention of it in OpenBSD -- does it exist?)
> (And the explicit form gets really messy when you have a network
> routed out of one interface, except for a small subnet of it which
> sits on another interface.)
That can be covered with two simple rules with one netblock each, the
second overriding the first, no?
Again, this stems from the way I currently use routes as filters. I
hence make sure that all our allocated netblocks are statically routed
out of our internal interface, and then route subnets of these out of
other interfaces as required. The subnet subtraction is, I now see,
not a goal in itself, but just an artifact of the current firewall
implementaiton. With the pf ruleset that is beginning to loosely form
in my mind, I realize that I can almost certainly write filtering
rules that far more directly capture what I'm trying to achieve.
Unfortunately (or in reality, fortunately), the prospects of being
multihomed are looking at least possible in the near future, and so
there's a significant chance I'm going to want to do load balancing
NAT, for which I believe netfilter/iptables is pretty much my only
option at present (short of shelling out lots of cash :)
It's quite tempting to use OpenBSD as my firewall and Linux as my load
balancer, but that's an extra machine and an extra point of failure,
not to mention significant extra complexity... :(