[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: question on pf filtering



On Tue, 2004-11-02 at 13:37, Srikanth Sagiraju wrote:
> Hello guys,
> 
>  I am a newbie to packet filter (pf), so please forgive me if this is a
> stupid question or if I am asking this as the wrong place.
> 
> I was looking at some of the sample pf rules given at:
> http://www.openbsd.org/faq/pf/queueing.html .
> 
> On the same page in the second example (Ex2: Company network) there is
> a rule that accepts DNS(port 53) requests from 'wwwserv' to any on 'fxp1
> inbound' as below:
> # filter rules for fxp1 inbound
> pass in on fxp1 proto { tcp, udp } from $wwwserv to any port 53 \
> 	keep state
> 
> But 'fxp0' does NOT allow any new 'outbound' connections except from the
> 'int_net'. Would that mean that DNS packets are not allowed outside the
> firewall and the above rule was written in vein?? I am missing
> something here..
what you are missing is the "keep state" on the rule which tells the
firewall to remember when sessions are established and allow packets
associated with those sessions to pass out.
-- 
Russell Fulton, Information Security Officer, The University of Auckland
New Zealand