Hi Rich, You are right. I looked at a fresh PF install, and the FORWARD is empty. The FORWARD on our devel box mislead me, there is a related/establish line in there... not sure why.
Then, yes, we need to add the forward lines :) On 12-03-12 11:22 AM, Rich Graves wrote: >> I don't think it is necessary to add those in the FORWARD. There is the >> "accept any any RELATED, ESTABLISHED" line in there, we should be OK >> with it... Even for UDP. I think iptables is able to keep track of the >> UDP src/dst ip/port and recognized a response. > > It's necessary on my box. I'll show you the next time you're on. > > I bet that you're looking at a line included by %%filter_forward_inline%%. > That's only present with inline enforcement, not vlan. > > As shipped by RedHat, the default is: > > :FORWARD ACCEPT [0:0] > :OUTPUT ACCEPT [0:0] > :RH-Firewall-1-INPUT - [0:0] > -A INPUT -j RH-Firewall-1-INPUT > -A FORWARD -j RH-Firewall-1-INPUT > > ...so FORWARD uses the same rules as INPUT. But on my RHEL6 box running PF > 3.2, conf/iptables.conf does: > > :INPUT DROP [0:0] > :FORWARD DROP [0:0] > :OUTPUT ACCEPT [0:0] > %%filter_forward_inline%% > > FORWARD doesn't incorporate INPUT. As it shouldn't, because you probably > don't want the captive portal port to be forwardable off-host. > > ------------------------------------------------------------------------------ > Try before you buy = See our experts in action! > The most comprehensive online learning library for Microsoft developers > is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, > Metro Style Apps, more. Free future releases when you subscribe now! > http://p.sf.net/sfu/learndevnow-dev2 > _______________________________________________ > Packetfence-users mailing list > [email protected] > https://lists.sourceforge.net/lists/listinfo/packetfence-users > -- Francois Gaudreault, ing. jr [email protected] :: +1.514.447.4918 (x130) :: www.inverse.ca Inverse inc. :: Leaders behind SOGo (www.sogo.nu) and PacketFence (www.packetfence.org) ------------------------------------------------------------------------------ Try before you buy = See our experts in action! The most comprehensive online learning library for Microsoft developers is just $99.99! Visual Studio, SharePoint, SQL - plus HTML5, CSS3, MVC3, Metro Style Apps, more. Free future releases when you subscribe now! http://p.sf.net/sfu/learndevnow-dev2 _______________________________________________ Packetfence-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/packetfence-users
