Pass through packets
Guillaume
silencer at free-4ever.net
Wed Mar 28 12:40:40 UTC 2007
>>> Not if you run a default block policy it wont.
>>>
>> I've seen my problem
>>
>> I have a rule with is something like opendoor for outgoing packet from
>> the firewall...
>
> Ahhh, that wouldn't help :-).
>
hhhmmm :-)
This rule with source the ip of the external interface.... but NAT is
applied before filtering...
So all my outgoing traffic which needs to be nated was accepted on
outbound !
>> And NAT rules are applied before filtering rules.
>> SO for traffic going from internal to external, I only have to setup a
>> pass rule on the internal interface !
>
> That depends whether you use 'nat pass' or not. I tend not to, as the PF
> port on FreeBSD doesn't support logging for 'nat pass' presently.
>
I use nat without pass
> A default block policy with just 'nat' requires an egress rule.
>
Yep...
>>> From there only permitted ingress & egress flows will be permitted.
>>>
>> Yep... that's what I have done now.
>>
>> So if I want a very accurate filtering for forwarding packets, I must
>> setup 2 rules every time... one pass in on the incoming interface and
>> another with pass out on the outgoing interface...
>
> Not necessarily :-).
>
In my case.... it seems ! :-(
> If you don't need to address translate the flow, one can use pass rules
> without direction on interface groups combined with anti spoofing.
>
My internal networks is 192.168.x.x
I have a dmz with public IP and another with private IP...
> e.g
>
> dmz1="em1"
> inside="em2"
>
> antispoof log quick on em1 for .....
> antispoof log quick on em2 for .....
>
> pass log quick on em $UDP from <insidenets> to <dmznet> port snmp
> $KS
> pass log quick on em $TCP from $DMZHost to $InsideHost port
> something $KSF
>
> One rule per flow, state created on both interfaces as not specifying
> direction will match both ingress and egress flows.
>
I'll keep that in mind :-)
>>> Whether that's a consequence of being infected with the Checkpoint
>> and Pix
>>> virus at an early age, I know not :-).
>>>
>> LOL
>>
>> i'm infected with Linux netfilter/iptables... :-)
>
> You have my deepest sympathies :-).
>
Thx :-)
>
>
> Greg
>
>
>
Guillaume
--
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net
More information about the freebsd-pf
mailing list