Good day, I trying to pass any outgoing TCP connections from my office (<nPrivate>) onto campus network (<nPublic>) sites, but block any incoming connections from campus to office.
Can use for it, PF ruleset like this (on 2-ifaced GW between office & campus): -------------------------------------------- > block in all > block return-rst in proto tcp all > > pass in on lo0 all > > pass in from <nPublic> to <nPublic> > pass in from <nPrivate> to <nPublic> > pass in from <nPrivate> to <nPrivate> > > pass in proto tcp from <nPrivate> to <nPublic> keep state -------------------------------------------- I suppose to think, that last rule would create state for outgoing connection and pass all campus packets for it. But it seems to does not work ... or I missed some other factors. Should it work ? Previously, I've used construction like this > pass in proto tcp from <nPublic> to <nPrivate> > block in proto tcp from <nPublic> to <nPrivate> flags S/SA but it has security issue - public host could send spoofed TCP packet, on which, internal host responds with RST. So public host could perform ping-scan (by nmap, for example) for internal network. (feel free for any RTFM links) Thank you. Ilya A. Kovalenko S.A, SpecialEQ SW section JSC Oganer-Service
