On Wed, Feb 25, 2009 at 05:39:31PM -0800, patrick keshishian wrote: > On Wed, Feb 25, 2009 at 5:15 PM, Jason Dixon <ja...@dixongroup.net> wrote: > > On Wed, Feb 25, 2009 at 04:39:08PM -0800, patrick keshishian wrote: > >> On Wed, Feb 25, 2009 at 4:07 PM, ropers <rop...@gmail.com> wrote: > >> > 2009/2/25 patrick keshishian <pkesh...@gmail.com>: > >> >> On Tue, Feb 24, 2009 at 9:48 PM, Hilco Wijbenga > >> >> <hilco.wijbe...@gmail.com> wrote: > >> >>> 2009/2/23 Jason Dixon <ja...@dixongroup.net>: > >> >>>> ########################################################## > >> >>>> 00 ext_if = "sk0" > >> >>>> 01 int_if = "sk1" > >> >>>> 02 > >> >>>> 03 set skip on lo > >> >>>> 04 > >> >>>> 05 scrub in > >> >>>> 06 > >> >>>> 07 nat on $ext_if from $int_if:network to any -> ($ext_if:0) > >> >>>> 08 > >> >>>> 09 block in log all > >> >>>> 10 pass in on $int_if inet keep state > >> >> > >> >> # I think you are missing a pass out on $ext_if rule > >> >> 11 pass out on $ext_if > >> >> > >> >> w/o 11 all inbound packets are blocked by 09. > >> > > >> > Please correct me it I'm wrong, but my understanding is that Jason's > >> > line 09 is only blocking packets that traverse interfaces in the > >> > *inward* direction (i.e. from the attached networks (WAN and LAN) > >> > *in*to the OpenBSD box). And I think that's why a "pass out" rule > >> > would be unnecessary, as the default is to pass packets. Again, take > >> > this with truckloads of salt; I could be wrong, but I trust Jason. > >> > >> You need states created for traffic passing through the pf firewall, > >> specifically through the $ext_if to allow packets flowing back in, > >> otherwise line 09 blocks those packets. I don't see where states would > >> get created for outbound traffic with Jason's rule-set. > > > > Using floating states (the default), line 10 should suffice. B But I > > forgot to account for outbound DNS requests from the firewall itself. > > Here is the same ruleset with the one extra rule. B It shouldn't be > > necessary for outbound traffic originating from $int_if:network, but it > > won't hurt either. > > The floating states based on line 10 would be for pre-NAT sources on > $int_if and wouldn't match any inbound packets on $ext_if. Unless I'm > misunderstanding how NAT works with pf, there are no pass out rules > that would create states for these packets:
patrick++ I'm usually thinking about translation-before-filtering on inbound stuff, but never give it much thought for outbound nat. Good catch. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
