[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: PF Filter rules & NAT

On Tue, Dec 10, 2002 at 01:02:21AM +1100, Benjamin M.A. Robson wrote:
> Not filtering on any interface is a -very- bad idea.  As if the scenario 
> was that I had 3
> interfaces, and I only filtered on the Internet interface, I now have no 
> access control between the
> 2nd and 3rd interfaces.
Then you filter on all three interfaces and create state on all of them.
You have the choice.
> When design decisions were being made, why was it decided not to replicate 
> the way IPFilter does
> this (i.e. 1 rule would imply the necessity for the other an this would be 
> taken care of)?
Just because a connection is allowed in on one interface doesn't mean I
want to allow it out through ANY of the other interfaces. I see
filtering on an interface as a guard standing at a door. Just because
one guard let you into the house doesn't mean you may leave the house
through any door you like. You have to pass each guard.
For instance, if I have a three legged firewall with an external
interface, a dmz and a client network, I want to allow external hosts to
initiate connections to the dmz, so I allow those connections in on the
external interface. But I sure don't want that state to pass any packets
on the interface to the clients.