On Thu, Feb 26, 2009 at 03:05:07PM +1100, Rod Whitworth wrote: > On Wed, 25 Feb 2009 21:27:24 -0500, Jason Dixon wrote: > > >The 'block in' will block return traffic since no state is matching for > >outbound traffic (see prior emails about translation before filtering). > > > Oh dear! Then you mean this even simpler ruleset will not work: > # cat pf.conf > ext_if="sis0" > int_if="sis1" > nat on $ext_if from !($ext_if) -> ($ext_if:0) > block in > pass out > pass in on $int_if
Not sure what you're trying to correct me on. This is virtually identical to my last posted ruleset. > <snip> > > Now there is a difference. In case you missed it - I used "pass out" > not "pass out on $ext_if" but that make no difference, in fact as I > pointed out earlier there is no "block out" for anything in the ruleset > so you can remove the "pass out" line entirely. The OP needs "pass out" for DNS resolution from the firewall itself. > Being of less than sound mind at times of stress ( it is tax submission > time ;-( ), I did a reality check and tested all three configurations > I described above and all work. I guess that proves my earlier > statement. I have also tested my rulesets. Without "pass out", traffic from $int_if:network can still forward through the firewall, but it will not get any DNS resolution from the firewall. > Nothing like a practical test is there? I'll agree with you here. Patrick makes a good point in that translation rules always apply before filter rules and that *should* take effect here as well (nat outbound). However, after thinking about it a bit more, we usually apply this in the case of filtering *and* translation happening on the *same* interface. In our example with nat, the filtering (and state creation) takes place on the internal interface first. It is then routed through and allowed to pass outbound on $ext_if since a matching state already exists. At least, that's my interpretation of the flow. Feel free to correct me where my logic is flawed. -- Jason Dixon DixonGroup Consulting http://www.dixongroup.net/
