Originally posted by: kt
Out of curiousity, why do you need so many DMZ?
Well for one, we get a lot of foot traffic and have some rather unsecured areas. The network is broken down into five separate networks, plus our two external networks (one being the internet), which aren't on a DMZ.
1. Main workstations network. Allowed to surf the net, IRC, etc., etc.. Cannot connect to any of the other six networks (excepting the 'net) apart from the webservers, wherein they can only connect on TCP/80 and TCP/443.
2. Webservers network. Allowed to serve TCP/80, TCP/443, but not allowed to generate its own outbound connections on any port other than TCP/1433 (SQL) bound for our DB server network. Meaning it is sort of in reply-only mode.
3. DB server network. Allowed to serve TCP/1433, but not allowed to generate its own outbound connections at all.
4. Public Access PC network. Allowed to surf the 'net (80/443 only) and to our internal webservers (80/443 only). All other access is denied.
5. Roaming network. Unused at the moment, we're planning some testing for wireless APs + mobile laptops.
6. Untrustable friendly network. Just a WAN connection to another network which provides us with a business service in the form of electronic data feeds.
7. Internet.
Essentially, I don't want any of the machines in each segment talking to one another at all. It was easier and more secure to simply physically separate them. That, and the two that should most definitely have been DMZed had separate requirements from the rest of the network. For instance, we need a guaranteed 1Gbps bandwidth from the webserver network to the DB server network, whereas the other networks we really don't care about.
Originally posted by: n0cmonkey
Some of PF's features (I know almost nothing about IPTables, someone else can compare it's features to these):
You can use variables in the easy to read config file.
- Iptables is much stronger then, since you can (and most do) use a script for your firewall. Many use bash, but you really have the strength of any interpretable script language (perl even) at your disposal.
Normalization of packets (fixes packet defrag problems).
Scrubbing (some OSes have crappy random ISNs and whatnot, this fixes that).
Scrubbing/normalization are both covered, I think. Could be wrong.
Proper stateful inspection (as of the last time I checked, IPTables did not have this).
On your SN comment, it is possible to create rules based on info about an SN , however, it requires an additional module, as I recall. Again, working from memory here.
🙂
PF appears to perform better for stateful filtering.
Never benched either of them, so I can't comment. Either way, stateful filtering doesn't appear to be draining on any system.
🙂
spamd (spam stopping software built into the firewall).
This is a bad idea IMHO for numerous reasons. It represents a separation of layers, and is generally a bad idea. As many others have commented, it's definitely best to have a firewall only do firewalling.
🙂 That being said, I'm quite certain that pf can bet configured to not use it, so it's really irrelevant.
2.
