pf, ping and traceroute
000.fbsd at quip.cz
Tue Sep 11 07:44:33 PDT 2007
jonathan michaels wrote:
> On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote:
> yes, kian, my basic problem is that english is not my first language
> and i still have difficulty understanding the way that teh document is
Even if you are not native english speaking, please use "the" and not
"teh". It is hard to read your sentences.
>>Focus on understanding how the directions work (e.g. pass in vs. pass
>>out) and also 'keep state.' Understanding states is critical... have
>>you figured out how those work yet?
> i think that i have .. but, i have a way to go yet i think. learning
> for me is a hard process of reading and reading and reading untill i
> understand it and i can get it past teh damaged bits of my brain.
> sorry, i don't have any other way of explaining what is going on.
I am using PF on my servers and I am using the folowing two lines to
allow incoming & outgoing pings:
# Allow pings and replies while keeping state
pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state
Where $ext_if is ext_if="bge0"
>>Are you filtering on a router? Switch? Server?
> pentium 133 mhz that is running freebsd v6.2 and i am using the
> included version pf. so i suppose that it is a server, yes ??
> my internet connection is via a v.90 dialup modem that provides me a
> permanent connected ppp style connection/account (been using some 10
> plus years).
> ext_if=ppp0 = this is teh modem, on serial (comm0/cuad0 ) port 1
> int_if=de0 = nic, accton en1203 21040 (a digital 10 mhz clone)
> this is all that that there is, so i suppose its a simple router ??
> i am thinking of using pf to defend all teh internal machines from
> stuff that makes it through the firewall, is this possible (there seems
> to be nothing, that i have been able to find/understand in teh doc or
> via google) ??
> this means that i am looking at using ipfw as a secondary firewall, or
> just as a filter kind of thing to keep out the stuff that is making it
> through the firewall.
I don't understand what do you mean...
There is no reason to use more then one firewall on the machine and PF
is just fine.
More information about the freebsd-pf