Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Jul 1999 10:14:27 +0200
From:      Alain Thivillon <Alain.Thivillon@hsc.fr>
To:        Scott Taylor <staylor@graphicexpress.net>
Cc:        freebsd-ipfw@freebsd.org
Subject:   Re: reflexive access lists?
Message-ID:  <19990728101427.E28741@yoko.hsc.fr>
In-Reply-To: <379DED83.70D4B4BE@graphicexpress.net>; from Scott Taylor on Tue, Jul 27, 1999 at 11:33:55AM -0600
References:  <379DED83.70D4B4BE@graphicexpress.net>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
Scott Taylor <staylor@graphicexpress.net> écrivait (wrote) :

> One of the rules that I have in the access lists on my cisco routers
> that I wish I could setup of my freebsd box are reflexive access lists.
> I'd love to be able to allow packets that are replies to requests from
> my machine be automatically allowed without allowing such a blanket

ipfilter use "keep state" to store information about sessions and open
up dynamically tcp, udp and even icmp 'reflexive' flow.

If i want enable all outgoing connections from my box, and block
everything else (warning, this will be a very bas setup if this box is a
router):

pass out quick on lo0 from any to any
pass in quick on lo0 from any to any
block in log quick from any to any with ipopts
block in log quick proto tcp from any to any with short
pass out quick proto tcp from any to any keep state
pass out quick proto udp from any to any keep state
pass out quick proto icmp from any to any keep state
block return-rst in log quick proto tcp from any to any
block return-icmp(port-unr) in log quick proto udp from any to any 
block return-icmp(13) in log from any to any



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-ipfw" in the body of the message




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?19990728101427.E28741>