pf, ping and traceroute

jonathan michaels jlm at caamora.com.au
Tue Sep 11 04:38:32 PDT 2007 

On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote:
> On 9/10/07, jonathan michaels <jon at caamora.com.au> wrote:
> >
> > i get that it is part of teh functionality to stop outside stuff
> > garbage bad people from getting to teh inside but how do i make a
> > "hole" in teh 'firewall' for ping/traceroute without opening up teh
> > firewall to let the same (ping/traceroute/etc) stuff come in from teh
> > outside ????
> >
> 
> PF was developed by OpenBSD, so their documentation is mostly
> authoritative.  Keep in mind the PF found in FreeBSD is slightly
> different -- it isn't as new, for the most part (much of that changed
> recently thanks to Max Laier).
> 
> Anyway, have you read the OpenBSD documentation?

yes, but,
 
> http://www.openbsd.org/faq/pf/

yes, kian, my basic problem is that english is not my first language
and i still have difficulty understanding the way that teh document is
written.
 
> Focus on understanding how the directions work (e.g. pass in vs. pass
> out) and also 'keep state.'  Understanding states is critical... have
> you figured out how those work yet?

i think that i have .. but, i have a way to go yet i think. learning
for me is a hard process of reading and reading and reading untill i
understand it and i can get it past teh damaged bits of my brain.

sorry, i don't have any other way of explaining what is going on.
 
> Are you filtering on a router? Switch? Server?

pentium 133 mhz that is running freebsd v6.2 and i am using the
included version pf. so i suppose that it is a server, yes ??

my internet connection is via a v.90 dialup modem that provides me a
permanent connected ppp style connection/account (been using some 10
plus years).

ext_if=ppp0	= this is teh modem, on serial (comm0/cuad0 ) port 1
int_if=de0	= nic, accton en1203 21040 (a digital 10 mhz clone)

this is all that that there is, so i suppose its a simple router ??

i am thinking of using pf to defend all teh internal machines from
stuff that makes it through the firewall, is this possible (there seems
to be nothing, that i have been able to find/understand in teh doc or
via google) ??

this means that i am looking at using ipfw as a secondary firewall, or
just as a filter kind of thing to keep out the stuff that is making it
through the firewall.


> -Kian

-- 
================================================================
powered by ..
QNX, OS9 and freeBSD  --  http://caamora com au/operating system
==== === appropriate solution in an inappropriate world === ====

More information about the freebsd-pf mailing list