August 19th, 2003, 13:52
I was reading through some of my new books last night regarding security. After reading a few things about Bastion hosts, DMZ's and packet filters, I read a part where it suggested setting up a packet filter on your hosts in the DMZ...I figured, this could be a very good think...

Here is my reasoning as to why I think this would be a great idea.

If I just stick up a hardened server in the DMZ without a packet filter of some sort, I am solely relying on the router and firewall to do all of the blocking. We all know that some firewalls are not perfect and let things slip through. I figured, why not setup PF on my Mail gateway, which is running OpenBSD 3.3. It would add an extra layer of security as well as let me play with a PF firewall at work.

Also, I can setup the BSD box to only allow certain services coming in from the firewall, while allowing SSH connections coming from my intranet.

Just thought i'd bounce this off everyone here to see what they though and get some opinions..

Any thoughts? :)


August 19th, 2003, 14:38
What you describe above is what I have always done, and it works great. I always put some sort of packett filter on any box that will have direct inbound connections from the internet. Even with a protected/filtered DMZ, its still a good idea. Since it won't cuase any problems to services you run from that box, it can only be a good thing.

Sounds like things are progressing well!


August 19th, 2003, 14:48
I worked at bank for a couple years. Every security conference I went to kept saying that every layer of security you add is a good thing.

I'd recomend that you throw it on there and lock it down as much as you can. Avoid "any to any" rules when you know exactly where the traffic is coming from and going to.

August 19th, 2003, 15:48
Yep yep...things are looking good. I still have a ton of work to do, but it is going well.

The OpenBSD box is up at this moment. I configured postfix for some basic things, but I need to learn how to 'lock' down OpenBSD even more. :)

Ya, Im very excited about setting up PF on the OpenBSD box...it will give me a chance to work more with PF and fine tune my skills.

Should be a blast.

I need to review some documentation though for PF. It has been awhile. :)