This is my first adventure with PF, coming from Linux, FW-1, etc. For the moment I've decided that I'll allow all outbound packets on every interface to create state. Not sure if that is a good idea or not. Thoughts? I've also set two default rules
block in log-all on { $all_if } all
block out log-all on { $all_if } allTake for example a web server sitting in the DMZ, where DMZ is using say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via something like
pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy state
then it must pass out the $dmz_if which would hit this rule
pass out proto tcp all synproxy state
Now is where my question comes. The first packet back will have both SYN & ACK flags set, all subsequent packets from the $www_srv will have the ACK flag set, and then finally the FIN flag. What would a rule look like that would allow the flow of packets to/from the $www_srv *but* not allow a connection to be created coming from the $www_srv, i.e. only the SYN flag set.
I might be not seeing the forest through the trees as I'm low on sleep today. Please be gentle when you apply the clue stick. ;)
Thanks, Chad
