From owner-freebsd-pf@FreeBSD.ORG Wed Mar 28 09:33:00 2007 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 8D26F16A403 for ; Wed, 28 Mar 2007 09:33:00 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.freebsd.org (Postfix) with ESMTP id 535A713C45A for ; Wed, 28 Mar 2007 09:32:59 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 09D622BC4BF for ; Wed, 28 Mar 2007 10:32:57 +0100 (BST) From: "Greg Hennessy" To: "'Guillaume'" , References: <000001c76fd3$ac9ad7c0$0301a8c0@d620> <460A293F.4030701@free-4ever.net> In-Reply-To: <460A293F.4030701@free-4ever.net> Date: Wed, 28 Mar 2007 10:32:38 +0100 Message-ID: <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AcdxF5+mXn4kcaVzRnKO13HhEZ3TyQAANeKw Content-Language: en-gb X-Antivirus: avast! (VPS 000728-1, 27/03/2007), Outbound message X-Antivirus-Status: Clean Cc: Subject: RE: Pass through packets X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 28 Mar 2007 09:33:00 -0000 > > > > Not if you run a default block policy it wont. > > > I've seen my problem > > I have a rule with is something like opendoor for outgoing packet from > the firewall... Ahhh, that wouldn't help :-). > And NAT rules are applied before filtering rules. > SO for traffic going from internal to external, I only have to setup a > pass rule on the internal interface ! That depends whether you use 'nat pass' or not. I tend not to, as the PF port on FreeBSD doesn't support logging for 'nat pass' presently. A default block policy with just 'nat' requires an egress rule. > > From there only permitted ingress & egress flows will be permitted. > > > Yep... that's what I have done now. > > So if I want a very accurate filtering for forwarding packets, I must > setup 2 rules every time... one pass in on the incoming interface and > another with pass out on the outgoing interface... Not necessarily :-). If you don't need to address translate the flow, one can use pass rules without direction on interface groups combined with anti spoofing. e.g dmz1="em1" inside="em2" antispoof log quick on em1 for ..... antispoof log quick on em2 for ..... pass log quick on em $UDP from to port snmp $KS pass log quick on em $TCP from $DMZHost to $InsideHost port something $KSF One rule per flow, state created on both interfaces as not specifying direction will match both ingress and egress flows. PF on FreeBSD is currently @ the revision level of OpenBSD 3.7. Later versions of PF on OpenBSD have greatly expanded the use of interface groups and provide some interesting ways of making policies even more concise and readable. I am sure when Max Laier et al find the time we'll enjoy the benefit of it too on FreeBSD. > > I am partial to using generic egress rules in combination with > tagging > > myself. > > > I'll check the egress rules... Generic tagged egress rules will make the policy a lot more readable. As with a PIX, one then just becomes concerned with the ingress interface. > > Whether that's a consequence of being infected with the Checkpoint > and Pix > > virus at an early age, I know not :-). > > > LOL > > i'm infected with Linux netfilter/iptables... :-) You have my deepest sympathies :-). Greg