Pass through packets

Greg Hennessy Greg.Hennessy at nviz.net
Mon Mar 26 18:21:12 UTC 2007 

 
> Hi,
> 
> I just want to know how to handle properly packets which pass 
> through the firewall...

That depends on what you're trying to do exactly. 

> 
> I can handle for all packets coming to all interface of my 
> firewall and the same with outgoing packets by using in/out 
> with statement "on $interface"
> 
> But what about forwarding packets ?

Properly configured routing is your best friend. 

If you need some form of policy based routing, rdr & route-to

http://www.openbsd.org/faq/pf/pools.html#outgoing

will facilitate that. 


> With iptables
> we can set a rule: iptables -t filter -A FORWARD -i eth0 -o 
> eth1 etc....
> 
> With packet filter how can I have a such way of processing my packet ?
> 
> If a setup a rule pass in on $if_internal inet proto tcp \
> 	from $internal_networks to any \
> 	flags S/SA modulate state
> 
> The packet from my internal networks can also exit on my DMZ 
> interfaces !

Not if you run a default block policy it wont. 

The 1st packet filtering rule of every pf policy should be

	block log all

>From there only permitted ingress & egress flows will be permitted. 

> 
> Is the only way to setup that is to specify a destination 
> with ! { $dmz_networks1, $dmz_networks2 } ?


There's a number of ways to skin this particular cat. 

I am partial to using generic egress rules in combination with tagging
myself. 

My personal PF policy style is to code '1st' match by using 'quick' on every
rule. 
Whether that's a consequence of being infected with the Checkpoint and Pix
virus at an early age, I know not :-). 

I would also counsel against the use of 'any'. 
Negation is a mite more logical and less error prone on larger policies
IMHO. 
Tables will also reduce macro expansion. 


Greg




> 
> Thx for any help.
> 
> Regards
> Guillaume
> 
> --
> Guillaume
> E-mail: silencer_<at>_free-4ever_<dot>_net
> Blog: http://guillaume.free-4ever.net
> ----
> Site: http://www.free-4ever.net
> _______________________________________________
> freebsd-pf at freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe at freebsd.org"
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.18/733 - Release 
> Date: 25/03/2007 11:07
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007
11:07

More information about the freebsd-pf mailing list