Hello Jason,
Thank you for assisting me getting this together..
I do understand that translation happens before filtering (at least
think i do), what I dont understand is why the filtering is done with
"pass in" if traffic is actually going from within the int_if2 network
to the outside? Where is the traffic actually going "in"?
> pass in on $int_if2 inet proto udp from $int_if2:network to any \
> port 53
Thank you.
Andres
On Sun, Jul 26, 2009 at 6:36 PM, Jason Dixon<ja...@dixongroup.net> wrote:
> On Sun, Jul 26, 2009 at 01:16:02PM -0500, Andres Salazar wrote:
>> Hello Jason,
>>
>> I understood the purpose of allowing internet access for the firewall
>> itself. However this is exactly where Iam still stuck.
>>
>> By doing this after our default block all:
>>
>> pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
>> port { 53 80 22 443 }
>>
>> Iam actually allowing it for both $int_if and $int_if2 , thus the
following
>> port restriction rules are not getting evaluated.
>
> In an effort to simplify your ruleset I was guilty of forgetting that
> translation happens before filtering. Here is a new version that
> filters on the internal interfaces. Let me know if you have any
> questions.
>
>
> ext_if = "re1"
> int_if = "re0"
> int_if2 = "re2"
>
> set skip on lo
>
> scrub in
>
> nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
> -> ($ext_if)
> nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
> -> ($ext_if)
>
> block all
> pass out on $ext_if
>
> pass in on $int_if inet proto tcp from $int_if:network to any \
> port { 53 80 }
> pass in on $int_if inet proto udp from $int_if:network to any \
> port 53
> pass in on $int_if2 inet proto tcp from $int_if2:network to any \
> port { 22 53 80 443 }
> pass in on $int_if2 inet proto udp from $int_if2:network to any \
> port 53
>
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
