* [EMAIL PROTECTED] <[EMAIL PROTECTED]> [051114 02:47]: > Quoting Jim Razmus <[EMAIL PROTECTED]>: > > > * Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]: > > > Hi misc@, > > > > > > I finaly had some time to rearrange my network, and split it into 3 > > > parts: LAN, DMZ, WAN. > > > > > > Basicly, the LAN (172.20) may not access the DMZ (172.16), but host > > > 172.20.1.10 can. the DMZ may not access the LAN, and both can go to the > > > WAN. > > > > > > But for some reason, when I create state from 172.20.1.10 to 172.16.x.x; > > > the packet comming back gets blocked which should not happen because the > > > state would be checked first and the state really is created?! > > > > > > I tried setting 'set state-policy floating' explicit, but no advance. > > > Someone who knows what the problem is here? I had a ruleset with a bunch > > > of 'quick' rules before instead of this, but had the same problem. > > > > > > [diagnostics snipped] > > > > > > > I think you might have the concept of "in" and "out" rules confused. > > Visualize yourself sitting in the computer between the three interfaces. > > From that perspective, "in" rules mean a packet coming from a remote > > host to you through one of those interfaces. Conversely "out" rules > > mean a packet leaving from the local machine to some remote host. > > > > Give something like this a whirl for starters. Caution, I have not > > tested these! You also likely need to allow packets from the Internet > > into your DMZ. > > > > # pf.conf > > [proposed firewall rules snipped] > > > > > > HTH, > > Jim > > > > > > Aah, I see what I did wrong, since I used in the passed 'pass all on sis2', > I never realized that state creation on an 'in' will only match an 'out' > for traffic in the other direction right? So for traffic from sis2 to sis1 > I will need to create states on the 'in' of sis2 and states on the 'out' of > sis1 if I got it right. > > Also thanks for your example, I will take a look at it later when I'm back > home to figure things out. > > Kind regards, > Jimmy Scott > > > > ---------------------------------------------------------------- > This message has been sent through ihosting.be > To report spamming or other unaccepted behavior > by a iHosting customer, please send a message > to [EMAIL PROTECTED] > ---------------------------------------------------------------- >
You might find this helpful: http://www.openbsd.org/faq/pf/filter.html#state Your essentially correct if I understand you correctly. ;-) Actual rules would help remove the ambiguity from the discussion. Regardless, the pf FAQ is your friend and can explain the subject far better than I can. Good Luck, Jim
