From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 28 08:37:22 2007
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8830F16A400
	for <freebsd-pf@freebsd.org>; Wed, 28 Mar 2007 08:37:22 +0000 (UTC)
	(envelope-from silencer@free-4ever.net)
Received: from orthosie.free-4ever.net (orthosie.free-4ever.net
	[88.191.27.106])
	by mx1.freebsd.org (Postfix) with ESMTP id 28D6413C45A
	for <freebsd-pf@freebsd.org>; Wed, 28 Mar 2007 08:37:22 +0000 (UTC)
	(envelope-from silencer@free-4ever.net)
Received: from localhost (localhost.localdomain [127.0.0.1])
	by orthosie.free-4ever.net (Postfix) with ESMTP id 2AFB469787
	for <freebsd-pf@freebsd.org>; Wed, 28 Mar 2007 10:37:21 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at free-4ever.net
Received: from orthosie.free-4ever.net ([127.0.0.1])
	by localhost (orthosie.free-4ever.net [127.0.0.1]) (amavisd-new,
	port 10024) with ESMTP id VOlNb-GgYkWf for <freebsd-pf@freebsd.org>;
	Wed, 28 Mar 2007 10:37:20 +0200 (CEST)
Received: from [192.168.48.187] (unknown [83.145.94.46])
	(Authenticated sender: silencer@free-4ever.net)
	by orthosie.free-4ever.net (Postfix) with ESMTP id 417B369781
	for <freebsd-pf@freebsd.org>; Wed, 28 Mar 2007 10:37:20 +0200 (CEST)
Message-ID: <460A293F.4030701@free-4ever.net>
Date: Wed, 28 Mar 2007 10:37:19 +0200
From: Guillaume <silencer@free-4ever.net>
User-Agent: IceDove 1.5.0.10 (X11/20070307)
MIME-Version: 1.0
To: freebsd-pf@freebsd.org
References: <000001c76fd3$ac9ad7c0$0301a8c0@d620>
In-Reply-To: <000001c76fd3$ac9ad7c0$0301a8c0@d620>
Content-Type: text/plain; charset=windows-1250
Content-Transfer-Encoding: 7bit
Subject: Re: Pass through packets
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 28 Mar 2007 08:37:22 -0000

>> With iptables
>> we can set a rule: iptables -t filter -A FORWARD -i eth0 -o 
>> eth1 etc....
>>
>> With packet filter how can I have a such way of processing my packet ?
>>
>> If a setup a rule pass in on $if_internal inet proto tcp \
>> 	from $internal_networks to any \
>> 	flags S/SA modulate state
>>
>> The packet from my internal networks can also exit on my DMZ 
>> interfaces !
> 
> Not if you run a default block policy it wont. 
> 
I've seen my problem

I have a rule with is something like opendoor for outgoing packet from
the firewall...

And NAT rules are applied before filtering rules.
SO for traffic going from internal to external, I only have to setup a
pass rule on the internal interface !

But for packet going from internal to dmz
I have to setup 2 rules.... one with pass in on the internal interface
and another one with pass out on the dmz interface !

> The 1st packet filtering rule of every pf policy should be
> 
> 	block log all
> 
> From there only permitted ingress & egress flows will be permitted. 
> 
Yep... that's what I have done now.

So if I want a very accurate filtering for forwarding packets, I must
setup 2 rules every time... one pass in on the incoming interface and
another with pass out on the outgoing interface...


>> Is the only way to setup that is to specify a destination 
>> with ! { $dmz_networks1, $dmz_networks2 } ?
> 
> 
> There's a number of ways to skin this particular cat. 
> 
> I am partial to using generic egress rules in combination with tagging
> myself. 
> 
I'll check the egress rules...

> My personal PF policy style is to code '1st' match by using 'quick' on every
> rule. 

Mee too

> Whether that's a consequence of being infected with the Checkpoint and Pix
> virus at an early age, I know not :-). 
> 
LOL

i'm infected with Linux netfilter/iptables... :-)

> I would also counsel against the use of 'any'. 
> Negation is a mite more logical and less error prone on larger policies
> IMHO. 
Ok... I'll think about that too

> Tables will also reduce macro expansion. 
> 
Ok... the same :-)

Thanks
> 
> Greg
> 
Guillaume

-- 
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net