[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ipf rules not working; is binat the solution?



FWIW, with ipv6, this is what I do:
int="xl0"
ext="{ xl1, gif0 }"
# block and log everything from the outside by default
block              out       log on $ext           all
block              in        log on $ext           all
block return-rst   out       log on $ext proto tcp all
block return-rst   in        log on $ext proto tcp all
block return-icmp  out       log on $ext proto udp all
block return-icmp  in        log on $ext proto udp all
# be picky about inside inet6 stuff, since this is world reachable
block              out log on $int inet6           all
block              in  log on $int inet6           all
block return-rst   out log on $int inet6 proto tcp all
block return-rst   in  log on $int inet6 proto tcp all
#block return-icmp6(port-unr)   in  log on $int inet6 proto tcp all
block return-icmp6 out log on $int inet6 proto udp all
block return-icmp6 in  log on $int inet6 proto udp all
... and of course rules to allow 'allowed' services inside.
-- 
Todd Fries .. [email protected]
(last updated $ToddFries: signature.p,v 1.2 2002/03/19 15:10:18 todd Exp $)
Penned by Daniel Hartmeier on Wed, Nov 20, 2002 at 02:22:48PM +0100, we have:
| On Tue, Nov 19, 2002 at 10:00:08PM -0800, Ed Herkel wrote:
| 
| > block             out log                all
| > block             in  log                all
| > block return-rst  in  log inet proto tcp all
| > block return-rst  out log inet proto tcp all
| > block return-icmp in  log inet proto udp all
| > block return-icmp out log inet proto udp all
| 
| This default block section applies to all interfaces, including the
| internal interface. Note that states created on the external interface
| don't allow associated packets to pass other interfaces automatically.
| 
| If you really want to filter on the internal interface as well, add
| rules that define which connections to pass there as well (including
| creating states there). Otherwise, add something like this after the
| default block section:
| 
|   pass in  quick on $int_if all
|   pass out quick on $int_if all
| 
| so the internal interface isn't filtered at all, and all filtering
| happens on the external interface.
| 
| Daniel