[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: scrub and state questions
On Sun, 5 Sep 2004, Oliver Humpage wrote:
> On Sun, 5 Sep 2004, Mipam wrote:
> > If I have set state-poliy floating and i have
> > block in on $ext_if
> > pass out on $ext_if modulate state
> > Then traffic incomming on $int_if will be allowed, because it may
> > leave through the $ext_if right? Traffic to an open port (on the pf
> > machine) on the $int_if
> > will also be accepted, and traffic which comes in on $ext_if belonging to
> > a connection initiated by a machine connected to the $int_if is also
> > allowed to pass out on $int_if right?
> I believe so: best way to find out is to experiment :)
It works fine. :-)
> > and i wish to allow clients on the $int_if to make connections to web
> > servers i need to have:
> > pass in on $int_if inet proto tcp from a.b.c/24 to any port 80 \
> > keep state
> > pass out on $ext_if inet proto tcp from a.b.c/24 to any port 80 \
> > modulate state
> Yes, as long as you're not doing NAT (see below).
> > I assume that filtering on outbound traffic is done before NAT?
> No - that's why nat (and rdr and binat) come before filtering in the
> ruleset: packets are first translated via NAT, then packet matching
> applied. So your second rule ought to be:
Hmm i see, so for outbound traffic over $ext_if
And for inbound traffic first filtering and then nat.
For ipf its the other way around, okay, it clears things up, thank you.
> > Suppose with the same state-policy if-bound and i wish to allow
> > traffic to an internal webserver:
> > pass in on $ext_if inet proto tcp from any to any port 80 flags S/SA \
> > synproxy state
> > pass out on $int_if inet proto tcp from any port 80 to any keep state
> second rule should be "... from any to any port 80...", although I'd
> advise using a specific network rather than 'any' in both rules (i.e. from
> any to a.b.c/24 port 80).
Okay, but in the first rule i cannot use a.b.c/24, because natting will
happen after filtering inbound right?
So second rule would be then:
pass out on $int_if inet proto tcp from any to a.b.c/24 port 80 keep state
(supposed natting happend before this rule is applied?)
> I'm sure there are many more subtleties other people can offer, I'm just
> replying with what I know because no-one else has yet :)
Thanks for the reply.