On 18 Dec 2003 18:34:42 -0800, [EMAIL PROTECTED] (Jim Mays) wrote:
Hey Jim >As suggested here is the file. The last 4 lines have no effect. The >computer >can web surf all day. Thanks > [snip] # Insert a default last match block rule here as the very 1st packet # filtering rule. Now nothing will flow until you specifically allow it. block log all [snip some more] ># >block in quick on $ExtIF from any to 192.168.100.130 >block out quick on $ExtIF from 192.168.100.130 to any >block in quick on $IntIF from any to 192.168.100.130 >block out quick on $IntIF from 192.168.100.130 to any As Daniel has said, address translation happens *before* the packets are sent through to the outside interface for filtering. When you start off working with firewalls, where NAT happens can take some getting used to. Some more hints from those of us who have a rather large T shirt collection. :-) Add the 'log' keyword to every, rule, you can always drop the logging level later, but its impossible to debug a policy without it. Having the ability to look at the PF logs remotely via syslog without being logged into the firewall is *very* useful. I use kiwi syslog to do this and have tweaked the following accordingly ~~ $ grep -i local0.info /etc/syslog.conf mail.info,local0.info,local1.info @loghost local0.info /var/log/pflog.txt Turn off pflogd, I personally have no use for logs captured in binary tcpdump format. ~~ $ grep -i pflog /etc/rc.conf pflogd_flags="NO" # add more flags, ie. "-s 256" Instead in /etc/rc.local # Redirect Firewall logging to syslog # ifconfig pflog0 up echo -n 'pflog -> syslog' && (tcpdump -l -e -t -i pflog0 | logger -p\ local0.info -t pf &) echo '.' This dumps human readable logging directly from the log interface and sends it straight to syslog. Use ~~ $ grep -i pflog /etc/newsyslog.conf /var/log/pflog.txt 600 7 * @T00 Z To roll over the firewall logs. Use the 'label' word at the end of each rule to tag them. It makes the use of 'pftop' a lot more intuitive. greg -- Once you try my burger baby,you'll grow a new thyroid gland. I said just eat my burger, baby,make you smart as Charlie Chan. You say the hot sauce can't be beat. Sit back and open wide.
