PF firewall rules
Greg Hennessy
Greg.Hennessy at nviz.net
Tue Jul 11 12:54:49 UTC 2006
>
> I did mention it a few times but I suppose I wasn't clear
> about it, but I really do want to use "single line firewall
> rules", and the only way to do this is to keep state, if
> there are other ways/rules to have really flexible firewall
> but still with stateful inspection with a small amount of
> rules I would like to see them.
Yes, RTFMP on tag and tagged.
Create generic egress rules on all the filtered interfaces with 'tagged'
E.g
pass out on {int1,int2,int3} $TCP to any tagged through $KSF
use tag on ingress rules as appropriate.
E.g
pass in on int1 $TCP from a to b tag through $KSF
Or.. in an environment with no nat, use interface classes on bidirectional
rules combined with anti spoofing.
Greg
More information about the freebsd-pf
mailing list