> Hi, > > I just want to know how to handle properly packets which pass > through the firewall...
That depends on what you're trying to do exactly. > > I can handle for all packets coming to all interface of my > firewall and the same with outgoing packets by using in/out > with statement "on $interface" > > But what about forwarding packets ? Properly configured routing is your best friend. If you need some form of policy based routing, rdr & route-to http://www.openbsd.org/faq/pf/pools.html#outgoing will facilitate that. > With iptables > we can set a rule: iptables -t filter -A FORWARD -i eth0 -o > eth1 etc.... > > With packet filter how can I have a such way of processing my packet ? > > If a setup a rule pass in on $if_internal inet proto tcp \ > from $internal_networks to any \ > flags S/SA modulate state > > The packet from my internal networks can also exit on my DMZ > interfaces ! Not if you run a default block policy it wont. The 1st packet filtering rule of every pf policy should be block log all >From there only permitted ingress & egress flows will be permitted. > > Is the only way to setup that is to specify a destination > with ! { $dmz_networks1, $dmz_networks2 } ? There's a number of ways to skin this particular cat. I am partial to using generic egress rules in combination with tagging myself. My personal PF policy style is to code '1st' match by using 'quick' on every rule. Whether that's a consequence of being infected with the Checkpoint and Pix virus at an early age, I know not :-). I would also counsel against the use of 'any'. Negation is a mite more logical and less error prone on larger policies IMHO. Tables will also reduce macro expansion. Greg > > Thx for any help. > > Regards > Guillaume > > -- > Guillaume > E-mail: silencer_<at>_free-4ever_<dot>_net > Blog: http://guillaume.free-4ever.net > ---- > Site: http://www.free-4ever.net > _______________________________________________ > freebsd-pf@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-pf > To unsubscribe, send any mail to "[EMAIL PROTECTED]" > > > -- > No virus found in this incoming message. > Checked by AVG Free Edition. > Version: 7.5.446 / Virus Database: 268.18.18/733 - Release > Date: 25/03/2007 11:07 > > -- No virus found in this outgoing message. Checked by AVG Free Edition. Version: 7.5.446 / Virus Database: 268.18.18/733 - Release Date: 25/03/2007 11:07 _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"