On Mon, Jan 10, 2011 at 12:52:14PM -0800, Daniel C. Sinclair wrote:
> On Wed, Jan 5, 2011 at 10:15 AM, Henning Brauer <[email protected]> wrote:
> > * Bernd Bornkessel <[email protected]> [2011-01-05 11:59]:
> >> In pf's state table I see two records - one for each direction of the
> >> connection.
> >
> > and the accumulated data from the state is what pflow exports, so it
> > is all as intended.
> >
> > usually, you do your real filtering on one side of the firewall
> > (usually there are areas that can be called "inside" and "outside" -
> > tho in some cases, there are many many inside networks, countless
> > vlans in my case). the other side you do some antispoof and firewall
> > self-protection. pick one side for pflow.
>
> In my case I consider all sides of the firewall hostile - I want to
> protect the internet from the machines on my network just as much as I
> want to protect those machines from the internet. So there isn't
> really an inside and outside. I also want netflow for all traffic
> that goes through the firewall - not just to/from the internet but
> also dmz to dmz.
>
> My pf rule set looks something like this:
>
> block in log all
> pass out all keep state (pflow)
>
> pass in on $dmz01 inet from ($dmz01:network) to ($dmz13:network)
> pass in on $ifnet inet from any to ($dmz06:network)
>
> Everything is blocked from entering the firewall unless explicitly
> allowed by a 'pass in' rule. Any connection that is allowed in also
> needs to be let out - the single 'pass out' rule is a good place to
> collect pflow. Anything that goes through the firewall is collected
> and anything that goes out from the firewall is collected. If you
> want to collect everything that goes into the firewall you need to add
> 'pass in keep state(pflow)' rules on each service like this:
>
> # allow SSH into firewall from dmz20
> pass in on $dmz20 inet proto tcp from ($dmz20:network) to ($dmz20)
> port 22 keep state(pflow)
>
It would be fantastic if it would be possible to use match for state
settings like pflow et all. Then a simple
match in keep state (pflow)
would do the trick and this makes sense for no-sync or sloppy as well.
It is like set state-defaults but having more limited scope.
Henning, what do you think?
--
:wq Claudio
