Hi, I have some simple questions about normalization and state keeping. Eh, yes i did rtfm and the faq from the OpenBSD site which were very helpfull. :-)
I wish to normalize inbound and outbound traffic in a way so i used: scrub on $ext_if all fragment reassemble reassemble tcp random-id So outbound traffic which leaves and $ext_if will get a random IP-ID. Inbound fragments are reassembled. Are outbound fragments also reassembled or not this way? I mean else random-id would not work for outgoing packets that are fragmented, because then there would be no way for the remote side to reassemble the fragments. Is what is described correct or not? If I have set state-poliy floating and i have block in on $ext_if pass out on $ext_if modulate state Then traffic incomming on $int_if will be allowed, because it may leave through the $ext_if right? Traffic to an open port (on the pf machine) on the $int_if will also be accepted, and traffic which comes in on $ext_if belonging to a connection initiated by a machine connected to the $int_if is also allowed to pass out on $int_if right? If i have set state-policy if-bound and i wish to allow clients on the $int_if to make connections to web servers i need to have: pass in on $int_if inet proto tcp from a.b.c/24 to any port 80 \ keep state pass out on $ext_if inet proto tcp from a.b.c/24 to any port 80 \ modulate state I assume that filtering on outbound traffic is done before NAT? Above would be correct? I would have to add state keeping in both rules? Suppose with the same state-policy if-bound and i wish to allow traffic to an internal webserver: pass in on $ext_if inet proto tcp from any to any port 80 flags S/SA \ synproxy state pass out on $int_if inet proto tcp from any port 80 to any keep state Is this correct or am i missing things (apart from natting)? Bye, Mipam.
