[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Ruleset Problem



Amir Seyavash Mesry wrote:
Sorry, I thought I gave enough info, they come in on eth1 and leave on eth1.
IE machine that pf.conf was given for is doing nat and some small routing.
Machine1(pf.conf given for this one)
Eth0=internetip
Eth1=10.0.0.1 network 10.0.0.0/24
Eth1=10.0.0.2 network 10.0.0.0/24

Machine2
Eth0=internetip
Eth1=10.0.0.2 network 10.0.0.0/24
Eth1=10.0.4.1 network 10.0.4.0/24

Now I'm really confused :(. Perhaps you could draw a simple diagram?



If I am reading this right translation takes precendence over filtering, which means If I have the following after translation, then the packets will still pass, or do they get blocked after translation on the outbound if.x

Translated packets still pass through the filter engine and are subject to your filter rules....


block in log all
block out log all

... so this will block translated packets. You'll need to "pass out on $ext ..." later on.


As for the keep state rules, what I was trying to accomplish is passing
packets between eth1 & eth2 checking state on each interface. Maybe one 2
revised rules would be

pass in on $eth1 inet proto udp from $lan1 to $lan2 		keep state
pass in on $eth2 inet proto udp from $lan1 to $lan2 		keep state

Is $lan1 connected to $eth1 or $eth2? From what I can tell, $lan1 is on $eth1 so looking for packets from $lan1 on $eth2 isn't necessary.


Do I need a corresponding one backtracking such as?

pass in on $eth2 inet proto udp from $lan2 to $lan1 		keep state
pass in on $eth1 inet proto udp from $lan2 to $lan1 		keep state

Same situation here with $lan2.


What you need is a set of rules to pass traffic OUT on $eth1, $eth2. Like I said, "keep state" only tracks state on one interface, not all of them.

	pass in  on $eth1 from $lan1 to $lan2 keep state
	pass out on $eth2 from $lan1 to $lan2 keep state



.joel