Date: Wed, 28 Mar 2007 14:40:37 +0200 From: Guillaume <silencer@free-4ever.net> To: freebsd-pf@freebsd.org Subject: Re: Pass through packets Message-ID: <460A6245.9010802@free-4ever.net> In-Reply-To: <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net> References: <000001c76fd3$ac9ad7c0$0301a8c0@d620> <460A293F.4030701@free-4ever.net> <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net>
next in thread | previous in thread | raw e-mail | index | archive | help
>>> Not if you run a default block policy it wont. >>> >> I've seen my problem >> >> I have a rule with is something like opendoor for outgoing packet from >> the firewall... > > Ahhh, that wouldn't help :-). > hhhmmm :-) This rule with source the ip of the external interface.... but NAT is applied before filtering... So all my outgoing traffic which needs to be nated was accepted on outbound ! >> And NAT rules are applied before filtering rules. >> SO for traffic going from internal to external, I only have to setup a >> pass rule on the internal interface ! > > That depends whether you use 'nat pass' or not. I tend not to, as the PF > port on FreeBSD doesn't support logging for 'nat pass' presently. > I use nat without pass > A default block policy with just 'nat' requires an egress rule. > Yep... >>> From there only permitted ingress & egress flows will be permitted. >>> >> Yep... that's what I have done now. >> >> So if I want a very accurate filtering for forwarding packets, I must >> setup 2 rules every time... one pass in on the incoming interface and >> another with pass out on the outgoing interface... > > Not necessarily :-). > In my case.... it seems ! :-( > If you don't need to address translate the flow, one can use pass rules > without direction on interface groups combined with anti spoofing. > My internal networks is 192.168.x.x I have a dmz with public IP and another with private IP... > e.g > > dmz1="em1" > inside="em2" > > antispoof log quick on em1 for ..... > antispoof log quick on em2 for ..... > > pass log quick on em $UDP from <insidenets> to <dmznet> port snmp > $KS > pass log quick on em $TCP from $DMZHost to $InsideHost port > something $KSF > > One rule per flow, state created on both interfaces as not specifying > direction will match both ingress and egress flows. > I'll keep that in mind :-) >>> Whether that's a consequence of being infected with the Checkpoint >> and Pix >>> virus at an early age, I know not :-). >>> >> LOL >> >> i'm infected with Linux netfilter/iptables... :-) > > You have my deepest sympathies :-). > Thx :-) > > > Greg > > > Guillaume -- Guillaume E-mail: silencer_<at>_free-4ever_<dot>_net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460A6245.9010802>