[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf rules not working; is binat the solution?

On Tue, Nov 19, 2002 at 10:00:08PM -0800, Ed Herkel wrote:
> block             out log                all
> block             in  log                all
> block return-rst  in  log inet proto tcp all
> block return-rst  out log inet proto tcp all
> block return-icmp in  log inet proto udp all
> block return-icmp out log inet proto udp all
This default block section applies to all interfaces, including the
internal interface. Note that states created on the external interface
don't allow associated packets to pass other interfaces automatically.
If you really want to filter on the internal interface as well, add
rules that define which connections to pass there as well (including
creating states there). Otherwise, add something like this after the
default block section:
  pass in  quick on $int_if all
  pass out quick on $int_if all
so the internal interface isn't filtered at all, and all filtering
happens on the external interface.