on 6/9/04 11:18 am, Mipam at [EMAIL PROTECTED] wrote: > On Mon, 6 Sep 2004, Oliver Humpage wrote: > >> on 6/9/04 9:21 am, Mipam at [EMAIL PROTECTED] wrote: >> >>> Hmm i see, so for outbound traffic over $ext_if >>> 1) nat >>> 2) filtering >>> >>> And for inbound traffic first filtering and then nat. >>> For ipf its the other way around, okay, it clears things up, thank you. >> >> No, it's always NAT then filtering. However, NAT creates an implicit state, >> so inbound traffic is always allowed back in through $ext_if. > > So also for inbound traffic its first nat than filtering as well??
Always that way round. Just think of the packet following the ruleset in order. > >>> Okay, but in the first rule i cannot use a.b.c/24, because natting will >>> happen after filtering inbound right? >> >> Oh, if you're trying to let outside people into your NATted network (e.g. >> you have a web server behind your firewall), then you'll need to use port >> forwarding or a rdr. Or have I misunderstood? > > You are right of course, but apart from the rdr rule i need to grant > access by pass in and pass out right as i specified before right? The ruleset would be (say): rdr pass on $ext_if inet proto tcp from any to $ext_ip_addr port 80 \ -> $int_web_server_ip port 80 That rule should create a state on $ext_if automatically, and the 'pass' modifier will let packets in, so no need to allow things in/out on that interface. Or, if you only want to allow certain people in, drop the pass modifier and use the rule: pass in on $ext_if inet proto tcp from $allowed_hosts to \ $int_web_server_ip port 80 keep state Either way, internally you will need: pass out on $int_if inet proto tcp from any to $int_web_server_ip \ port 80 keep state. Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.
