[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

question about flags

This is my first adventure with PF, coming from Linux, FW-1, etc. For the moment I've decided that I'll allow all outbound packets on every interface to create state. Not sure if that is a good idea or not. Thoughts? I've also set two default rules

block in log-all on  { $all_if } all
block out log-all on  { $all_if } all

Take for example a web server sitting in the DMZ, where DMZ is using say, i.e. NAT is being used. The packet comes in via something like

pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy state

then it must pass out the $dmz_if which would hit this rule

pass out proto tcp all synproxy state

Now is where my question comes. The first packet back will have both SYN & ACK flags set, all subsequent packets from the $www_srv will have the ACK flag set, and then finally the FIN flag. What would a rule look like that would allow the flow of packets to/from the $www_srv *but* not allow a connection to be created coming from the $www_srv, i.e. only the SYN flag set.

I might be not seeing the forest through the trees as I'm low on sleep today. Please be gentle when you apply the clue stick. ;)