ipf stateful rules
Abdullah Koro
koro at koro.bentala.co.id
Sun Dec 10 20:31:09 PST 2006
at the moment, i just use simple configuration that pass all traffic.
nothing needed to be restrict.
this is my NAT configuration sample and make it simple ;)
#Jalankan NAT
/sbin/natd -interface rl0
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via rl0
/sbin/ipfw add pass all from any to any
and the interfaces:
> ifconfig
rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::2e0:4cff:feaa:3e53%rl0 prefixlen 64 scopeid 0x1
inet 192.168.2.231 netmask 0xffffff00 broadcast 192.168.2.255
ether 00:e0:4c:aa:3e:53
media: Ethernet autoselect (100baseTX <full-duplex>)
status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
options=8<VLAN_MTU>
inet6 fe80::213:46ff:fe3a:da6f%rl1 prefixlen 64 scopeid 0x2
inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
ether 00:13:46:3a:da:6f
media: Ethernet autoselect (10baseT/UTP)
status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
inet6 ::1 prefixlen 128
inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
inet 127.0.0.1 netmask 0xff000000
regards,
koro
On Sun, 10 Dec 2006, Nathan Watson wrote:
> Hello,
> I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface):
>
> pass out quick on hme0 all
>
> If I change that to "pass out quick on hme0 all keep state," will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions?
More information about the freebsd-questions
mailing list