Skip site navigation (1)Skip section navigation (2)
Date:      Mon, 26 Mar 2007 19:22:12 +0100
From:      "Greg Hennessy" <Greg.Hennessy@nviz.net>
To:        "'Guillaume'" <silencer@free-4ever.net>, <freebsd-pf@freebsd.org>
Subject:   RE: Pass through packets
Message-ID:  <000001c76fd3$ac9ad7c0$0301a8c0@d620>
In-Reply-To: <4607EA4D.1020304@free-4ever.net>

next in thread | previous in thread | raw e-mail | index | archive | help
 
> Hi,
> 
> I just want to know how to handle properly packets which pass 
> through the firewall...

That depends on what you're trying to do exactly. 

> 
> I can handle for all packets coming to all interface of my 
> firewall and the same with outgoing packets by using in/out 
> with statement "on $interface"
> 
> But what about forwarding packets ?

Properly configured routing is your best friend. 

If you need some form of policy based routing, rdr & route-to

http://www.openbsd.org/faq/pf/pools.html#outgoing

will facilitate that. 


> With iptables
> we can set a rule: iptables -t filter -A FORWARD -i eth0 -o 
> eth1 etc....
> 
> With packet filter how can I have a such way of processing my packet ?
> 
> If a setup a rule pass in on $if_internal inet proto tcp \
> 	from $internal_networks to any \
> 	flags S/SA modulate state
> 
> The packet from my internal networks can also exit on my DMZ 
> interfaces !

Not if you run a default block policy it wont. 

The 1st packet filtering rule of every pf policy should be

	block log all

>From there only permitted ingress & egress flows will be permitted. 

> 
> Is the only way to setup that is to specify a destination 
> with ! { $dmz_networks1, $dmz_networks2 } ?


There's a number of ways to skin this particular cat. 

I am partial to using generic egress rules in combination with tagging
myself. 

My personal PF policy style is to code '1st' match by using 'quick' on every
rule. 
Whether that's a consequence of being infected with the Checkpoint and Pix
virus at an early age, I know not :-). 

I would also counsel against the use of 'any'. 
Negation is a mite more logical and less error prone on larger policies
IMHO. 
Tables will also reduce macro expansion. 


Greg




> 
> Thx for any help.
> 
> Regards
> Guillaume
> 
> --
> Guillaume
> E-mail: silencer_<at>_free-4ever_<dot>_net
> Blog: http://guillaume.free-4ever.net
> ----
> Site: http://www.free-4ever.net
> _______________________________________________
> freebsd-pf@freebsd.org mailing list
> http://lists.freebsd.org/mailman/listinfo/freebsd-pf
> To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
> 
> 
> -- 
> No virus found in this incoming message.
> Checked by AVG Free Edition.
> Version: 7.5.446 / Virus Database: 268.18.18/733 - Release 
> Date: 25/03/2007 11:07
>  
> 

-- 
No virus found in this outgoing message.
Checked by AVG Free Edition.
Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007
11:07
 




Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000001c76fd3$ac9ad7c0$0301a8c0>