Proper rules for proper separation for LANs
-
Yeah just add rules to the source network interface passing the traffic you want.
-
Yeah just add rules to the source network interface passing the traffic you want.
So this is most secure way to do it, not putting the file-server on both networks with 2 nics ?
-
There is no, "this is more secure than that." It all depends. It is not binary.
But yes, in general, I would say it is more secure.
You also eliminate potential asymmetric routing problems.
It makes essentially no sense to separate two segments (like LAN and DMZ) using a firewall then just bypass the same firewall using a host with a nic on each side.
-
Thank you.
From what I understand now pf-sense will move the data on layer3 , instead of layer2 if they were together on the same subnet ? So the traffic will go through pf-sense, from WIFI net to file server on LAN net.
-
If there was a question in there I can't see it.
-
If there was a question in there I can't see it.
I guess you are right.:-))))))))
P.S.
Not at the moment at least. I have to read and try some things before the real question emerge. Thanks again in a meantime. -
Ok but reading from the book and Example configurations I end up with these basic LAN rules. I would like some help to make sure if I did a good job with the rules order. I am pretty sure about the bottom 2 rules , but not about the top ones.
Is this the proper order ?
![lan rules.PNG](/public/imported_attachments/1/lan rules.PNG)
![lan rules.PNG_thumb](/public/imported_attachments/1/lan rules.PNG_thumb) -
It depends on what you are looking to accomplish.
-
I thought it shows on the picture.
If I have to describe it: I am trying to have have very secure network , by conservatively locking it down and only allow things on "need to know" in this case on "need to pass" base. And while still learning I would like to know if what I doing so far is correct , before it becomes a mess. I really don't know if it makes any difference the order for the first 3 rules for example ?!
-
I really don't know if it makes any difference the order for the first 3 rules for example ?!
The rules show what you have done not what you are trying to do.
You continue to think there is one right answer when every network has different requirements, compliance issues, goals, threat models, etc.
"need to know" "need to pass"
Only you know who needs to know what and what needs to pass where.
-
I am thinking that in order to master the pf-sense rules and improve security I need to see examples from experts so I can get an ideas and then tailor it for the specific needs for my network, don't you agree ?
P.S.
I know there is a lot of information floating around the net , but most of it is wrong or at least not correct and I don't want to learn wrong way. From a people who are trying to be helpful but unfortunately not knowledgeable, and that I think is the worst outcome.