Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Mar 2007 10:32:38 +0100
From:      "Greg Hennessy" <>
To:        "'Guillaume'" <>, <>
Subject:   RE: Pass through packets
Message-ID:  <000001c7711c$06887e60$13997b20$>
In-Reply-To: <>
References:  <000001c76fd3$ac9ad7c0$0301a8c0@d620> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
> >
> > Not if you run a default block policy it wont.
> >
> I've seen my problem
> I have a rule with is something like opendoor for outgoing packet from
> the firewall...

Ahhh, that wouldn't help :-). 

> And NAT rules are applied before filtering rules.
> SO for traffic going from internal to external, I only have to setup a
> pass rule on the internal interface !

That depends whether you use 'nat pass' or not. I tend not to, as the PF
port on FreeBSD doesn't support logging for 'nat pass' presently. 

A default block policy with just 'nat' requires an egress rule. 

> > From there only permitted ingress & egress flows will be permitted.
> >
> Yep... that's what I have done now.
> So if I want a very accurate filtering for forwarding packets, I must
> setup 2 rules every time... one pass in on the incoming interface and
> another with pass out on the outgoing interface...

Not necessarily :-). 

If you don't need to address translate the flow, one can use pass rules
without direction on interface groups combined with anti spoofing.  



	antispoof log quick on em1 for .....
	antispoof log quick on em2 for .....

	pass log quick on em $UDP from <insidenets> to <dmznet> port snmp
	pass log quick on em $TCP from $DMZHost to $InsideHost port
something $KSF

One rule per flow, state created on both interfaces as not specifying
direction will match both ingress and egress flows. 

PF on FreeBSD is currently @ the revision level of OpenBSD 3.7. 
Later versions of PF on OpenBSD have greatly expanded the use of interface
groups and provide some interesting ways of making policies even more
concise and readable.
I am sure when Max Laier et al find the time we'll enjoy the benefit of it
too on FreeBSD. 

> > I am partial to using generic egress rules in combination with
> tagging
> > myself.
> >
> I'll check the egress rules...

Generic tagged egress rules will make the policy a lot more readable.
As with a PIX, one then just becomes concerned with the ingress interface. 

> > Whether that's a consequence of being infected with the Checkpoint
> and Pix
> > virus at an early age, I know not :-).
> >
> i'm infected with Linux netfilter/iptables... :-)

You have my deepest sympathies :-).


Want to link to this message? Use this URL: <$06887e60$13997b20$>