Hello, hoping for some guidance here.
Trying to build a firewall system on OpenBSD.
It appears that PF has a fundamental design
problem for high-security environments. When
you allow creating new states for LAN -> WAN
traffic, and subsequently need to filter the return
packets, that is simply impossible.
For example: you execute a traceroute and the
middle hops have RFC1918 IPs. As a general
rule of thumb, you should filter RFC1918 sources
from your WAN side. Yet, there is no way to
acommplish that through PF.
One workaround I have found is that you can use
a transit rdomain which is stateless - you can then
filter per-packet and achieve the desired behavior.
The caveat: increased CPU usage, less throughput.
What is the established way to handle this on
OpenBSD - if there is one at all?
No comments:
Post a Comment