Re: ipf stateful rules

Sun, 10 Dec 2006 20:35:55 -0800 

at the moment, i just use simple configuration that pass all traffic.
nothing needed to be restrict.

this is my NAT configuration sample and make it simple ;)

#Jalankan NAT
/sbin/natd -interface rl0
/sbin/ipfw -f flush
/sbin/ipfw add divert natd all from any to any via rl0
/sbin/ipfw add pass all from any to any

and the interfaces:


ifconfig

rl0: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet6 fe80::2e0:4cff:feaa:3e53%rl0 prefixlen 64 scopeid 0x1
        inet 192.168.2.231 netmask 0xffffff00 broadcast 192.168.2.255
        ether 00:e0:4c:aa:3e:53
        media: Ethernet autoselect (100baseTX <full-duplex>)
        status: active
rl1: flags=8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
        options=8<VLAN_MTU>
        inet6 fe80::213:46ff:fe3a:da6f%rl1 prefixlen 64 scopeid 0x2
        inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255
        ether 00:13:46:3a:da:6f
        media: Ethernet autoselect (10baseT/UTP)
        status: active
plip0: flags=108810<POINTOPOINT,SIMPLEX,MULTICAST,NEEDSGIANT> mtu 1500
lo0: flags=8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 16384
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4
        inet 127.0.0.1 netmask 0xff000000

regards,
koro


On Sun, 10 Dec 2006, Nathan Watson wrote:


Hello,
I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my 
rules to work. The problem is mainly that I want no restrictions on outbound 
traffic, and I'm not sure how to apply stateful filtering to that. I have the 
following rule (hme0 is my external interface):

pass out quick on hme0 all

If I change that to "pass out quick on hme0 all keep state," will that only 
open the port that the outbound packet was on? Are there any problems that can arise from 
allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... 
I'm just having lots of troubles here. My ruleset is below, and everything seems to be 
caught by the last block all rule. Any suggestions?

_______________________________________________
freebsd-questions@freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "[EMAIL PROTECTED]"

Reply via email to