Writing DMZ rulesets
David Allen
the.real.david.allen at gmail.com
Sun Sep 14 01:47:38 UTC 2008
Apologies if this question falls into the obvious category, but I'm
wondering how rulesets are/should be written for DMZ scenarios. For
example:
ext_if = "fxp0"
dmz_if = "fxp1"
int_if = "fxp2"
nameservers = "{ 192.168.1.2, 192.168.1.3 }"
pass in on $ext_if { tcp, udp } from any to $nameservers port 53
pass out on $dmz_if { tcp, udp } from any to $nameservers port 53
pass in on $dmz_if { tcp, udp } from $nameservers port 53 to any
pass in on $dmz_if { tcp, udp } from $nameservers to any port 53
pass out on $ext_if { tcp, udp } from $nameservers port 53 to any
pass out on $ext_if { tcp, udp } from $nameservers to any port 53
Am I being redundant or excessively restrictive?
And assuming that "keep state" is implicit, does this mean that a state
entry will be created for each interface?
Thanks.
More information about the freebsd-pf
mailing list