Thanks for the reply - my IPNAT config is this: map hme0 10.0.0.0/16 -> 0/32
rdr hme0 0/0 port 22 -> 10.0.0.2 port 22 rdr hme0 0/0 port 25 -> 10.0.0.2 port 25 rdr hme0 0/0 port 236 -> 10.0.0.2 port 236 rdr hme0 0/0 port 237 -> 10.0.0.2 port 237 rdr hme0 0/0 port 113 -> 10.0.0.4 port 113 rdr hme0 0/0 port 5800-5900 -> 10.0.0.4 port 5800 rdr hme0 0/0 port 6881-6889 -> 10.0.0.2 port 6881 rdr hme0 0/0 port 7071 -> 10.0.0.2 port 7071 ----- Original Message ----- From: julien Chaffraix <[EMAIL PROTECTED]> To: Nathan Watson <[EMAIL PROTECTED]> Cc: freebsd-questions <freebsd-questions@freebsd.org> Sent: Wednesday, December 13, 2006 12:56:24 PM GMT-0500 US/Eastern Subject: Re: ipf stateful rules Nathan Watson wrote: > Hello, > I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my > rules to work. The problem is mainly that I want no restrictions on outbound > traffic, and I'm not sure how to apply stateful filtering to that. I have the > following rule (hme0 is my external interface): > > pass out quick on hme0 all > > If I change that to "pass out quick on hme0 all keep state," will that only > open the port that the outbound packet was on? Are there any problems that > can arise from allowing all outbound traffic? At the moment, my ruleset > doesn't pass packets at all... I'm just having lots of troubles here. My > ruleset is below, and everything seems to be caught by the last block all > rule. Any suggestions? > > You can use "pass out quick on hme0 all keep state" just to allow outgoing traffic without restriction. You didn't mention the IPNAT ruleset which could explain your problem. For your use I would have something like : map hm0 0.0.0.0/0 -> 0.0.0.0/32 Cheers, Julien > Thanks, > nwatson > > # no restrictions on internal LAN > pass out quick on hme1 all > pass in quick on hme1 all > > # no restrictions on loopback > pass out quick on lo0 all > pass in quick on lo0 all > > # no outbound restrictions > pass out quick on hme0 all keep state > > # block all from non-routable or reserved address space > > block in quick on hme0 from 172.16.0.0/12 to any # private > block in quick on hme0 from 10.0.0.0/8 to any # private > block in quick on hme0 from 127.0.0.0/8 to any # loopback > block in quick on hme0 from 0.0.0.0/8 to any # loopback > block in quick on hme0 from 169.254.0.0/16 to any # dhcp auto-config > block in quick on hme0 from 192.0.2.0/24 to any # reserved for docs > block in quick on hme0 from 204.152.64.0/23 to any # sun cluster > interconnect > block in quick on hme0 from 224.0.0.0/3 to any # class d & e > multicast > > # inbound blocks > > block in quick on hme0 all with frags # frags > block in quick on hme0 proto tcp all with short # short tcp packets > block in quick on hme0 all with opt lsrr # source routed packets > block in quick on hme0 all with opt ssrr # source routed packets > block in log first quick on hme0 proto tcp from any to any flags FUP # > nmap os fingerprint attempts, log > block in quick on hme0 all with ipopts # anything with special options > block in quick on hme0 proto icmp all icmp-type 8 # public pings > block in log first quick on hme0 proto tcp/udp from any to any port = 137 > # netbios name > block in log first quick on hme0 proto tcp/udp from any to any port = 138 > # netbios datagram > block in log first quick on hme0 proto tcp/udp from any to any port = 139 > # netbios session > block in log first quick on hme0 proto tcp/udp from any to any port = 81 > # hosts2 name server requests > > # allow these > > pass in quick on hme0 proto tcp from any to any port = 22 flags S keep state > # ssh > pass in quick on hme0 proto tcp from any to any port = 25 flags S keep state > # smtp > pass in quick on hme0 proto tcp from any to any port = 236 flags S keep state > # http > pass in quick on hme0 proto tcp from any to any port = 237 flags S keep state > # zimbra https > pass in quick on hme0 proto tcp from any to any port = 113 flags S keep state > # ident > pass in quick on hme0 proto tcp from any to any port 5800 >< 5900 flags S > keep state # vnc > pass in quick on hme0 proto tcp/udp from any to any port 6881 >< 6889 keep > state # bittorrent > pass in quick on hme0 proto tcp from any to any port = 7071 flags S keep > state # zimbra admin https > > # block, log all remaining traffic > > block in log first quick on hme0 > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"
