Skip site navigation (1)Skip section navigation (2)
Date:      Wed, 28 Mar 2007 14:40:37 +0200
From:      Guillaume <silencer@free-4ever.net>
To:        freebsd-pf@freebsd.org
Subject:   Re: Pass through packets
Message-ID:  <460A6245.9010802@free-4ever.net>
In-Reply-To: <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net>
References:  <000001c76fd3$ac9ad7c0$0301a8c0@d620> <460A293F.4030701@free-4ever.net> <000001c7711c$06887e60$13997b20$@Hennessy@nviz.net>

next in thread | previous in thread | raw e-mail | index | archive | help
>>> Not if you run a default block policy it wont.
>>>
>> I've seen my problem
>>
>> I have a rule with is something like opendoor for outgoing packet from
>> the firewall...
> 
> Ahhh, that wouldn't help :-). 
> 
hhhmmm :-)

This rule with source the ip of the external interface.... but NAT is
applied before filtering...

So all my outgoing traffic which needs to be nated was accepted on
outbound !


>> And NAT rules are applied before filtering rules.
>> SO for traffic going from internal to external, I only have to setup a
>> pass rule on the internal interface !
> 
> That depends whether you use 'nat pass' or not. I tend not to, as the PF
> port on FreeBSD doesn't support logging for 'nat pass' presently. 
> 
I use nat without pass

> A default block policy with just 'nat' requires an egress rule. 
> 
Yep...

>>> From there only permitted ingress & egress flows will be permitted.
>>>
>> Yep... that's what I have done now.
>>
>> So if I want a very accurate filtering for forwarding packets, I must
>> setup 2 rules every time... one pass in on the incoming interface and
>> another with pass out on the outgoing interface...
> 
> Not necessarily :-). 
> 
In my case.... it seems ! :-(

> If you don't need to address translate the flow, one can use pass rules
> without direction on interface groups combined with anti spoofing.  
> 
My internal networks is 192.168.x.x
I have a dmz with public IP and another with private IP...

> e.g 
> 
> 	dmz1="em1"
> 	inside="em2"
> 
> 	antispoof log quick on em1 for .....
> 	antispoof log quick on em2 for .....
> 
> 	pass log quick on em $UDP from <insidenets> to <dmznet> port snmp
> $KS
> 	pass log quick on em $TCP from $DMZHost to $InsideHost port
> something $KSF
> 
> One rule per flow, state created on both interfaces as not specifying
> direction will match both ingress and egress flows. 
> 
I'll keep that in mind :-)


>>> Whether that's a consequence of being infected with the Checkpoint
>> and Pix
>>> virus at an early age, I know not :-).
>>>
>> LOL
>>
>> i'm infected with Linux netfilter/iptables... :-)
> 
> You have my deepest sympathies :-).
> 
Thx :-)

> 
> 
> Greg
> 
> 
> 
Guillaume


-- 
Guillaume
E-mail: silencer_<at>_free-4ever_<dot>_net
Blog: http://guillaume.free-4ever.net
----
Site: http://www.free-4ever.net



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?460A6245.9010802>