AW: freebsd-pf Digest, Vol 64, Issue 5

GobbleDeGeek gobbledegeek at gmail.com
Fri Dec 9 07:41:07 PST 2005 

Thats a good feature. My idea about over-riding local with remote policy 
  is to minimize local per host configuration effort - in the absence of 
a centralized configuration tool. With the interface up and running, we 
don't want a liberal local policy even for a 30-40 seconds, while remote 
policy is being downloaded... although this concern is more about 
viruses that pf may not filter anyways...

Rgrds

Marcus Franke wrote:
> Hello,
> 
> This is the way Windows does its policy management.
> 
> First the local ruleset will be read, then according the location
> of the computer in the ldap tree and policy rules that are connected
> to these nodes will be read.
> 
> Those rules that are nearer to the computer account will overwrite those
> being "far away".
> 
> Windows knows an option "no overwrite" you can set. When this option
> is set, the policy won't be overwritten by those closer to the computer
> account in the directory structure.
> 
> Works good, as far as I have used it so far..
> 
> 
>>-----Ursprüngliche Nachricht-----
>>Von: owner-freebsd-pf at freebsd.org [mailto:owner-freebsd-pf at freebsd.org] Im
>>Auftrag von GobbleDeGeek
>>Gesendet: Freitag, 9. Dezember 2005 14:25
>>An: freebsd-pf at freebsd.org
>>Betreff: Re: freebsd-pf Digest, Vol 64, Issue 5
>>
>>I agree. One way out is to setup each machine with a default tight local
>>policy that only allows access to the local "remote file system" (sic!)
>>then read in the more liberal site-wide policy to replace the existing
>>one... this will mean an nfs mount or a one-way rsync ... and a simple
>>per machine ruleset blocking everything
>>but the firewall policy servers nfs or rsync... any other ideas ??
>>
>>Rgrds
>>
>>>I would admit to this, but I am the only person usign these boxes.
>>>
>>>One is my machine in the office the other one is at home.
>>>
>>>Concerning the manageability I would say, yes, you are right. One
>>>should invent a solution like the manageability of WinXP SP2 with
>>>the help of the ActiveDirectory in a windows server domain.
>>>
>>>One ruleset for all boxes.
>>>
>>>But, often you read that attacks against servers will be done from
>>>the inside network.
>>>
>>>
>>>
>>>Marcus
>>>
>>
>>_______________________________________________
>>freebsd-pf at freebsd.org mailing list
>>http://lists.freebsd.org/mailman/listinfo/freebsd-pf
>>To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
>

More information about the freebsd-pf mailing list