# Firewall subnetting



## gpatrick (Aug 9, 2010)

While reading "The Book of PF" I see where the author suggests where it is possible to create a int_if of 192.0.2.0/25 and a dmz_if of 192.0.2.129/25; saying there is no need to touch the rule set for packet filtering to work after setting up a physically separated DMZ.

I was under the impression one should create a int_if on say 192.0.2.0/24 and a dmz_if on say 192.0.3.0/24 (or whatever subnet mask chosen).

Are there any benefits to doing it like 192.0.2 or 192.0.3 instead of the way the author suggests?  I know the author has a lot of experience with PF, but I'm trying to understand the proper method of addressing and subnetting a firewall with a ext_if, int_if and dmz_if .


----------



## loop (Aug 9, 2010)

It doesn't matter, the only difference is that there's 254 usable addresses in a /24 and 126 usable in a /25


----------



## gpatrick (Aug 10, 2010)

Thanks, but I understand the number of usable addresses, what I'm really wondering is the addressing.  Is it acceptable to use both the int_if and dmz_if on 192.168.10.0 for example; or is it better to put the int_if on 192.168.10.0 and the dmz_if on 192.168.12.0 for example?


----------



## loop (Aug 10, 2010)

Using the example in the PF book, int_if (192.0.2.0/25) and  dmz_if (192.0.2.129/25) are in different subnets. So it doesn't matter if you have int_if of 10.0.0.1/8 and dmz_if at 172.16.0.1/12 or anything, as long as the interfaces are in separate subnets pf will work it out


----------



## SirDice (Aug 10, 2010)

It's not PF that works it out. PF doesn't route anything, it's the OS that does the routing (routing tables). Even with PF disabled it would still work.


----------

