Pass through packets
Greg Hennessy
Greg.Hennessy at nviz.net
Mon Mar 26 18:21:12 UTC 2007
> Hi,
>
> I just want to know how to handle properly packets which pass
> through the firewall...
That depends on what you're trying to do exactly.
>
> I can handle for all packets coming to all interface of my
> firewall and the same with outgoing packets by using in/out
> with statement "on $interface"
>
> But what about forwarding packets ?
Properly configured routing is your best friend.
If you need some form of policy based routing, rdr & route-to
http://www.openbsd.org/faq/pf/pools.html#outgoing
will facilitate that.
> With iptables
> we can set a rule: iptables -t filter -A FORWARD -i eth0 -o
> eth1 etc....
>
> With packet filter how can I have a such way of processing my packet ?
>
> If a setup a rule pass in on $if_internal inet proto tcp \
> from $internal_networks to any \
> flags S/SA modulate state
>
> The packet from my internal networks can also exit on my DMZ
> interfaces !
Not if you run a default block policy it wont.
The 1st packet filtering rule of every pf policy should be
block log all
>From there only permitted ingress & egress flows will be permitted.
>
> Is the only way to setup that is to specify a destination
> with ! { $dmz_networks1, $dmz_networks2 } ?
There's a number of ways to skin this particular cat.
I am partial to using generic egress rules in combination with tagging
myself.
My personal PF policy style is to code '1st' match by using 'quick' on every
rule.
Whether that's a consequence of being infected with the Checkpoint and Pix
virus at an early age, I know not :-).
I would also counsel against the use of 'any'.
Negation is a mite more logical and less error prone on larger policies
IMHO.
Tables will also reduce macro expansion.
Greg
>
> Thx for any help.
>
> Regards
> Guillaume
>
> --
> Guillaume
> E-mail: silencer_<at>_free-4ever_<dot>_net
> Blog: http://guillaume.free-4ever.net
> ----
> Site: http://www.free-4ever.net
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
>
>
> --
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.18/733 - Release
> Date: 25/03/2007 11:07
>
>
--
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007
11:07
More information about the freebsd-pf
mailing list