[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: between $x and $y rule?



On Wed, 2003-05-28 at 21:22, Tom Ryan wrote:
> I'm no expert with pf!  But I'm wondering about something...
> 
> I have quite a few rules like:
> 
> -----
> # allow IKE between other_host and ext_ip
> pass in on $ext_if proto udp from $other_host to $ext_ip port 500 keep state
> pass in on $ext_if proto udp from $ext_ip to $other_host port 500 keep state
> -----
> 
> Am I doing this wrong???
Yes.
> Can I somehow set a bidirectional rule of some sort?  
No.
> For example, is there a "between x and y" type of syntax that I could
> employ?
First, your example is flawed.  You're not going to allow "pass in" for
both of those flows.  One of those should be pass in, one should be pass
out.  And yes, you need them both ways since both sides of your tunnel
will originate sessions at some point (IIRC).  You have two flows of
data to keep track of.
pass in on $ext_if proto udp from $other_host to $ext_ip port 500 keep
state
pass out on $ext_if proto udp from $ext_ip to $other_host port 500 keep
state
I'm sure Hakan or Henning will correct me if I'm wrong.  :)
-- 
Jason Dixon, RHCE
DixonGroup Consulting
http://www.dixongroup.net