On Sun, 5 Sep 2004, Oliver Humpage wrote: > On Sun, 5 Sep 2004, Mipam wrote: > > > If I have set state-poliy floating and i have > > block in on $ext_if > > pass out on $ext_if modulate state > > > > Then traffic incomming on $int_if will be allowed, because it may > > leave through the $ext_if right? Traffic to an open port (on the pf > > machine) on the $int_if > > will also be accepted, and traffic which comes in on $ext_if belonging to > > a connection initiated by a machine connected to the $int_if is also > > allowed to pass out on $int_if right? > > I believe so: best way to find out is to experiment :)
It works fine. :-) > > and i wish to allow clients on the $int_if to make connections to web > > servers i need to have: > > > > pass in on $int_if inet proto tcp from a.b.c/24 to any port 80 \ > > keep state > > pass out on $ext_if inet proto tcp from a.b.c/24 to any port 80 \ > > modulate state > > Yes, as long as you're not doing NAT (see below). > > > I assume that filtering on outbound traffic is done before NAT? > > No - that's why nat (and rdr and binat) come before filtering in the > ruleset: packets are first translated via NAT, then packet matching > applied. So your second rule ought to be: Hmm i see, so for outbound traffic over $ext_if 1) nat 2) filtering And for inbound traffic first filtering and then nat. For ipf its the other way around, okay, it clears things up, thank you. > > Suppose with the same state-policy if-bound and i wish to allow > > traffic to an internal webserver: > > > > pass in on $ext_if inet proto tcp from any to any port 80 flags S/SA \ > > synproxy state > > pass out on $int_if inet proto tcp from any port 80 to any keep state > > second rule should be "... from any to any port 80...", although I'd > advise using a specific network rather than 'any' in both rules (i.e. from > any to a.b.c/24 port 80). Okay, but in the first rule i cannot use a.b.c/24, because natting will happen after filtering inbound right? So second rule would be then: pass out on $int_if inet proto tcp from any to a.b.c/24 port 80 keep state (supposed natting happend before this rule is applied?) > > I'm sure there are many more subtleties other people can offer, I'm just > replying with what I know because no-one else has yet :) Thanks for the reply. Bye, Mipam.
