On Fri, May 21, 2004 at 04:27:19PM -0400, Chad M Stewart wrote: > > Take for example a web server sitting in the DMZ, where DMZ is using > say 192.168.4.0/24, i.e. NAT is being used. The packet comes in via > something like > > pass in on $wan_if inet proto tcp from any to $www_srv port 80 synproxy > state > > then it must pass out the $dmz_if which would hit this rule > > pass out proto tcp all synproxy state
i don't know if you'll run into a problem with having two boundaries of synproxying, but i tried something like that once a while ago and connections didn't open. could've just been i had faulty logic in my rules. i'm not conversant enough in using DMZs to confidently answer your question completely/well, but: > What would a rule > look like that would allow the flow of packets to/from the $www_srv > *but* not allow a connection to be created coming from the $www_srv, > i.e. only the SYN flag set. a rule which doesn't allow a SYN flag could be pass inet proto tcp flags /S basically says "only flag i care about is SYN, and it must not be set" jared -- [ openbsd 3.5 GENERIC ( may 10 ) // i386 ]
