firewalling policy

[Sten Daniel Sørsdal]

> What is the best point to firewall? Naturally default block 
> strategy assumed. I know each interface need rules to achieve 
> good security, but what about external interface (WAN link)?  
> Is it safe just to firewall each internal interface, because 
> otherwise I need "double rules" and it get's more complicated.
> 
> Any other hints to give or good optimized examples for pf in 
> larger enviroment? I will surely make a public document once 
> I get this up and running.
> Thanks in advance and specially all you developers of this great OS!
> 


I pretty much always go for a setup in this order and i always group
my rules by first incoming and then outgoing per interface;
a) drop all attempts at spoofing
b) no redundancy (duplicate rules)
c) block/accept packets as early as possible (preferably on incoming)

This method leaves few rules on outgoing segments and usually only for 
the local rules for the firewall and makes efficient use of state tables.
With a large ruleset it becomes difficult to maintain anything with
duplicate rules. 

If this is about a firewalling/routing internet traffic (public ip addresses)
i would be extra careful about sources you can not trust when it comes to 
keeping state. a SYN attack or multiple instances of a virus like blaster 
can make the firewall slow or at worst unresponsive/crash. 

Good luck with the firewall!

_// Sten Daniel Sørsdal