[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: ipf rules not working; is binat the solution?
On Tue, Nov 19, 2002 at 10:00:08PM -0800, Ed Herkel wrote:
> block out log all
> block in log all
> block return-rst in log inet proto tcp all
> block return-rst out log inet proto tcp all
> block return-icmp in log inet proto udp all
> block return-icmp out log inet proto udp all
This default block section applies to all interfaces, including the
internal interface. Note that states created on the external interface
don't allow associated packets to pass other interfaces automatically.
If you really want to filter on the internal interface as well, add
rules that define which connections to pass there as well (including
creating states there). Otherwise, add something like this after the
default block section:
pass in quick on $int_if all
pass out quick on $int_if all
so the internal interface isn't filtered at all, and all filtering
happens on the external interface.