OpenBSD's pf and traffic
Eugene M. Minkovskii
emin at mccme.ru
Tue Mar 22 04:42:31 PST 2005
On Tue, Mar 22, 2005 at 01:18:27PM +0100, Peter N. M. Hansteen wrote:
" "Eugene M. Minkovskii" <emin at mccme.ru> writes:
"
"
" I'd say something along the lines of
"
" allowed_out = "{ ssh, domain, http, https, etc... }"
"
" pass out on $ext_if proto tcp $allowed_out label allowed-out keep state
"
" you could differentiate among source addresses, for example by
" specifying
"
" client1 = "{ 192.68.n.1, 192.168.n.2 }"
" client1 = "{ 192.68.n.3, 192.168.n.4 }"
"
" client2_inports = { whatever they need }
"
" pass out on $ext_if from $client1 to any proto tcp $allowed_out \
" label client1 keep state
"
" pass out on $ext_if from $client2 to any proto tcp $allowed_out \
" label client2-out keep state
"
" pass from any to $client2 $client2_inports label client2-in keep state
"
" and so on. Hope this helps.
Just a moment, does it mean that your last rule allow any
incoming connections from world to clients if thay matched by
client2_inports, ANY, not only connections opened by clients?
Moreover, I read in documentation, that state table reads BEFORE
rules, and connections that opened by clients in first rule:
pass out on $ext_if from $client1 to any proto tcp $allowed_out \
label client2 keep state
whill not marked by label client2-in because thay don't pass to
this rule. Am I right?
--
Sensory yours, Eugene Minkovskii
Сенсорно ваш, Евгений Миньковский
More information about the freebsd-questions
mailing list