[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question about flags



On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote:
>
> Take for example a web server sitting in the DMZ, where DMZ is using 
> say 192.168.4.0/24, i.e. NAT is being used.  The packet comes in via 
> something like
> 
> pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy 
> state
> 
> then it must pass out the $dmz_if which would hit this rule
> 
> pass out proto tcp all synproxy state
  i don't know if you'll run into a problem with having two boundaries
  of synproxying, but i tried something like that once a while ago
  and connections didn't open.  could've just been i had faulty logic
  in my rules.
  i'm not conversant enough in using DMZs to confidently answer your
  question completely/well, but:
> What would a rule 
> look like that would allow the flow of packets to/from the $www_srv 
> *but* not allow a connection to be created coming from the $www_srv, 
> i.e. only the SYN flag set.
  a rule which doesn't allow a SYN flag could be
pass inet proto tcp flags /S  
  basically says "only flag i care about is SYN, and it must not be set"  
  jared
-- 
[ openbsd 3.5 GENERIC ( may 10 ) // i386 ]