Date: Fri, 04 Mar 2005 13:30:24 -0800 From: Ben Shelton <fbsd-pf@shelton.ca> To: Daniel Hartmeier <daniel@benzedrine.cx> Cc: freebsd-pf@freebsd.org Subject: Re: pf routing issue? Message-ID: <4228D370.6020802@shelton.ca> In-Reply-To: <20050304180024.GD6369@insomnia.benzedrine.cx> References: <42289DEA.5050205@shelton.ca> <20050304174927.GC6369@insomnia.benzedrine.cx> <4228A136.30707@shelton.ca> <20050304180024.GD6369@insomnia.benzedrine.cx>
next in thread | previous in thread | raw e-mail | index | archive | help
Daniel, Thanks for the help. Pretty silly of me - I guess I assumed that it allowed it right through the firewall, which would be pretty bad. Anyway I've tested allowing through both sides at various times, just probably not in the right combination. I'll rewrite stuff and give it a shot tonight. Thanks, Ben Daniel Hartmeier wrote: > On Fri, Mar 04, 2005 at 09:56:06AM -0800, Ben Shelton wrote: > > >>I'm actually trying to connect from an outside host through the firewall >>to a host behind the firewall. I understood that the keep state would >>handle the return packet, am I wrong here? >>Also, at various times during the testing I had included a second rule: >>pass out quick inet proto tcp from x.x.x.x port 80 to any keep state >>as well. I can't guarantee that I did this in a completely orderly >>fashion (it was the middle of the night), but this didn't work then. >>I *think* I have the basics down here, but there probably is something >>completely braindead I've done. > > > When filtering on both interfaces, you have to create two state entries > per forwarded connection. > > pass in on $if_towards_browser from any to $web_server port 80 \ > keep state > pass out on $if_towards_server from any to $web_server port 80 \ > keep state > > This is just for the initial SYN packet, the state will allow further > packets in the same direction (and replies in the reverse direction). > > Your rule 'pass out from x.x.x.x port 80 to any' is wrong, it would be > addressing replies, which isn't necessary. > > You need to allow the initial SYN in on the first interface, then out on > the second one. A state entry does not grant passage _through_ the > firewall, it only grants passage through one interface. > > Daniel > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "freebsd-pf-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4228D370.6020802>