Help with pf ruleset
norgaard at locolomo.org
Sun Mar 9 20:30:24 UTC 2008
Erik Wilson wrote:
> I know you have cut away a lot of rules, but maybe that just makes
> things more confusing. Try to nest your rules in the following order:
> direction - interface - protocol - src net - dst net - port/type
> You should need no "out" rules if you have "in" rules with keep state.
> At each branch level make a catchup rule at the end with default action
> and "quick" key word to make sure packets don't spill over and get
> matched by other rules.
> Good advice, thanks. I'm afraid i've tried so many different options
> and variations to get this to work that it's not as pretty as it should
> be. I got some of these rules from various examples posted on the web,
> and tweaked them into unrecognizability ;) Do you think that Josh is
> right about needing a route-to rule for the second WAN interface?
It is absolutely possible that the problem is that the ping or response
get sent the wrong way. Use snort to see what goes on. I did not analyze
your setup to the point that I can tell you that.
> Since you're handing out best practices ;) Is it better to use a nat
> pass or rdr pass rule than seperate nat/rdr and pass statements? Why?
I prefer to separate things. I know the less lines you have, the less
lines can contain an error. But on the other hand, the less lines you
have the more obscure and difficult to debug they become.
It is very common that people believe they have errors in their filter
rules when in fact it's nat rules that are wrong.
When you have both rdr, nat and binat be careful to understand which
order they take effect. They are first match. But since rdr is done on
the way IN while nat is done on the way OUT, an rdr rule can take effect
before the intended nat rule despite it being after the nat rule.
So, to avoid such confusion, write first your rdr, then nat.
Also, use the log statement in your nat rules while debugging.
Ph: +34.666334818 http://www.locolomo.org
More information about the freebsd-questions