On Tue, Mar 22, 2005 at 01:18:27PM +0100, Peter N. M. Hansteen wrote: " "Eugene M. Minkovskii" <[EMAIL PROTECTED]> writes: " " " I'd say something along the lines of " " allowed_out = "{ ssh, domain, http, https, etc... }" " " pass out on $ext_if proto tcp $allowed_out label allowed-out keep state " " you could differentiate among source addresses, for example by " specifying " " client1 = "{ 192.68.n.1, 192.168.n.2 }" " client1 = "{ 192.68.n.3, 192.168.n.4 }" " " client2_inports = { whatever they need } " " pass out on $ext_if from $client1 to any proto tcp $allowed_out \ " label client1 keep state " " pass out on $ext_if from $client2 to any proto tcp $allowed_out \ " label client2-out keep state " " pass from any to $client2 $client2_inports label client2-in keep state " " and so on. Hope this helps.
Just a moment, does it mean that your last rule allow any incoming connections from world to clients if thay matched by client2_inports, ANY, not only connections opened by clients? Moreover, I read in documentation, that state table reads BEFORE rules, and connections that opened by clients in first rule: pass out on $ext_if from $client1 to any proto tcp $allowed_out \ label client2 keep state whill not marked by label client2-in because thay don't pass to this rule. Am I right? -- Sensory yours, Eugene Minkovskii Сенсорно ваш, Евгений Миньковский _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "[EMAIL PROTECTED]"