On Mon, 6 Sep 2004, Oliver Humpage wrote: > on 6/9/04 11:18 am, Mipam at [EMAIL PROTECTED] wrote: > > > On Mon, 6 Sep 2004, Oliver Humpage wrote: > > > >> on 6/9/04 9:21 am, Mipam at [EMAIL PROTECTED] wrote: > >> > >>> Hmm i see, so for outbound traffic over $ext_if > >>> 1) nat > >>> 2) filtering > >>> > >>> And for inbound traffic first filtering and then nat. > >>> For ipf its the other way around, okay, it clears things up, thank you. > >> > >> No, it's always NAT then filtering. However, NAT creates an implicit state, > >> so inbound traffic is always allowed back in through $ext_if. > > > > So also for inbound traffic its first nat than filtering as well?? > > Always that way round. Just think of the packet following the ruleset in > order. > > > > >>> Okay, but in the first rule i cannot use a.b.c/24, because natting will > >>> happen after filtering inbound right? > >> > >> Oh, if you're trying to let outside people into your NATted network (e.g. > >> you have a web server behind your firewall), then you'll need to use port > >> forwarding or a rdr. Or have I misunderstood? > > > > You are right of course, but apart from the rdr rule i need to grant > > access by pass in and pass out right as i specified before right? > > The ruleset would be (say): > > rdr pass on $ext_if inet proto tcp from any to $ext_ip_addr port 80 \ > -> $int_web_server_ip port 80 > > That rule should create a state on $ext_if automatically, and the 'pass' > modifier will let packets in, so no need to allow things in/out on that > interface. Or, if you only want to allow certain people in, drop the pass > modifier and use the rule: > > pass in on $ext_if inet proto tcp from $allowed_hosts to \ > $int_web_server_ip port 80 keep state > > Either way, internally you will need: > > pass out on $int_if inet proto tcp from any to $int_web_server_ip \ > port 80 keep state.
Thanks, it's clear. I'll only use this on the outside interface: pass in on $ext_if inet proto tcp from $allowed_hosts to \ $int_web_server_ip port 80 synproxy state I like pf do to the three way handshake first for me :-) Bye, Mipam.
