[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: question about flags
On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote:
> Take for example a web server sitting in the DMZ, where DMZ is using
> say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via
> something like
> pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy
> then it must pass out the $dmz_if which would hit this rule
> pass out proto tcp all synproxy state
i don't know if you'll run into a problem with having two boundaries
of synproxying, but i tried something like that once a while ago
and connections didn't open. could've just been i had faulty logic
in my rules.
i'm not conversant enough in using DMZs to confidently answer your
question completely/well, but:
> What would a rule
> look like that would allow the flow of packets to/from the $www_srv
> *but* not allow a connection to be created coming from the $www_srv,
> i.e. only the SYN flag set.
a rule which doesn't allow a SYN flag could be
pass inet proto tcp flags /S
basically says "only flag i care about is SYN, and it must not be set"
[ openbsd 3.5 GENERIC ( may 10 ) // i386 ]