Pass through packets
Greg.Hennessy at nviz.net
Wed Mar 28 09:33:00 UTC 2007
> > Not if you run a default block policy it wont.
> I've seen my problem
> I have a rule with is something like opendoor for outgoing packet from
> the firewall...
Ahhh, that wouldn't help :-).
> And NAT rules are applied before filtering rules.
> SO for traffic going from internal to external, I only have to setup a
> pass rule on the internal interface !
That depends whether you use 'nat pass' or not. I tend not to, as the PF
port on FreeBSD doesn't support logging for 'nat pass' presently.
A default block policy with just 'nat' requires an egress rule.
> > From there only permitted ingress & egress flows will be permitted.
> Yep... that's what I have done now.
> So if I want a very accurate filtering for forwarding packets, I must
> setup 2 rules every time... one pass in on the incoming interface and
> another with pass out on the outgoing interface...
Not necessarily :-).
If you don't need to address translate the flow, one can use pass rules
without direction on interface groups combined with anti spoofing.
antispoof log quick on em1 for .....
antispoof log quick on em2 for .....
pass log quick on em $UDP from <insidenets> to <dmznet> port snmp
pass log quick on em $TCP from $DMZHost to $InsideHost port
One rule per flow, state created on both interfaces as not specifying
direction will match both ingress and egress flows.
PF on FreeBSD is currently @ the revision level of OpenBSD 3.7.
Later versions of PF on OpenBSD have greatly expanded the use of interface
groups and provide some interesting ways of making policies even more
concise and readable.
I am sure when Max Laier et al find the time we'll enjoy the benefit of it
too on FreeBSD.
> > I am partial to using generic egress rules in combination with
> > myself.
> I'll check the egress rules...
Generic tagged egress rules will make the policy a lot more readable.
As with a PIX, one then just becomes concerned with the ingress interface.
> > Whether that's a consequence of being infected with the Checkpoint
> and Pix
> > virus at an early age, I know not :-).
> i'm infected with Linux netfilter/iptables... :-)
You have my deepest sympathies :-).
More information about the freebsd-pf