OpenBSD's pf and traffic
Peter N. M. Hansteen
peter at bgnett.no
Tue Mar 22 04:21:05 PST 2005
"Eugene M. Minkovskii" <emin at mccme.ru> writes:
> pass out on $ext_if proto tcp all modulate state flags S/SA
> pass out on $ext_if proto { udp, icmp } all keep state
>
> So, where could I put label to mark inbound traffic? This traffic
> goes into my machine because I use state table.
I'd say something along the lines of
allowed_out = "{ ssh, domain, http, https, etc... }"
pass out on $ext_if proto tcp $allowed_out label allowed-out keep state
you could differentiate among source addresses, for example by
specifying
client1 = "{ 192.68.n.1, 192.168.n.2 }"
client1 = "{ 192.68.n.3, 192.168.n.4 }"
client2_inports = { whatever they need }
pass out on $ext_if from $client1 to any proto tcp $allowed_out \
label client1 keep state
pass out on $ext_if from $client2 to any proto tcp $allowed_out \
label client2-out keep state
pass from any to $client2 $client2_inports label client2-in keep state
and so on. Hope this helps.
--
Peter N. M. Hansteen, member of the first RFC 1149 implementation team
http://www.blug.linux.no/rfc1149/ http://www.datadok.no/ http://www.nuug.no/
"First, we kill all the spammers" The Usenet Bard, "Twice-forwarded tales"
More information about the freebsd-questions
mailing list