Understanding the keep state?
Fire walls
fayerwall at gmail.com
Wed Jun 24 01:24:24 UTC 2009
Hi people.
I start working with pf in freebsd 7.2.
Is working, but I have some doubts that I would like someone to clarify
me.
My home network is the classic one, 2 nics:
Nic1 --> ng0 Public IP PPPoE
Nic2 --> sis0 My Home network.
All my clients like winboxes, linux and bsd OS receive the IP from my
firewall. If someone try to access to the outside they reach the Nic2 and
them Nic1 and done they can access the outside.
The keep state function is to track each connection, in my case I prefer
to open just the ports I need, example the www.
Nic1 --> ExtIF
Nic2 --> IntIF
LOCALLAN= 192.168.50.0/24
*Nat Rule
nat on $ExtIF inet from $LOCALLAN to any -> ($ExtIF)
*LAN Rule
pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA
*Firewall Rule
pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep
state label "Internet Browsing http"
In my case, anyone who need access to the outside(www) they first reach
the "LAN Rule", them the IntIF detect that they need are trying to access a
IP that is not in his site, them that nic forward the package to the next
gate in this case the ExtIF and touch the "Firewall Rule".
Working this way, where is the best way to put the "keep state" statement,
in the "LAN Rules" or in the "Firewall Rules" or in both parts?
Thanks all for your help, if Im doing this the wrong way please let me
know, I want to get a deep understanding of pf.
--
:-)
More information about the freebsd-pf
mailing list