Thanks for the info - the /tmp/rules.debug does help to understand what's happening.
Here's a bit of information on related: RELATED packets are similar to ESTABLISHED packets, but something is different. These are packets that are related to an established connection, but are not part of the connection. So far, the only confirmed use of RELATED I've seen has to do with FTP and ICMP, and then only in conjunction with ESTABLISHED for FTP. So the way I will approach it is open a port for servers on the wan interface on the dmz or lan interface. And open ports on the lan interface for proxy servers, DNS and smtp on the lan interface. From what you've said - the established traffic - i.e. answering/replying traffic will be passed. -----Original Message----- From: Bill Marquette [mailto:[EMAIL PROTECTED] Sent: Sunday, 2 July 2006 11:45 PM To: [email protected] Subject: Re: [pfSense Support] Linux -> pfsense questions On 7/2/06, Craig Silva <[EMAIL PROTECTED]> wrote: > Are there any example rule sets for a standard type firewall without the > default rule that allows all lan sourced traffic (if there is such a thing) > for a wan, lan and dmz type firewall? That's certainly something we'd hoped people would do :) At this time, I'm not aware of any example rulesets. > iptables tracks the attributes new, established and related in relation to > connections - does pfsense do this "automatically"? I'm not sure what "related" does, but we certainly do keep state on traffic. A state entry is created for the SYN in a tcp packet that is allowed, all further packets in that flow are passed if they follow the RFCs and don't muck with sequence numbers, window sizes...etc > I only had a brief look at pf documentation as it was at the command line > level and I couldn't map to the GUI rules - is it worth while going back to > the pf docs which leads on to the next question > what are the defaults built in to pfsense? The rules are in /tmp/rules.debug - there's a large number of system generated rules, but you can see the set options we use and the user generated rules towards the bottom of the ruleset. > Related to the first question - do you need a rule to allow return traffic > from an established connection? Nope...state tables keep track of it all :) --Bill --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
