>>> Not if you run a default block policy it wont. >>> >> I've seen my problem >> >> I have a rule with is something like opendoor for outgoing packet from >> the firewall... > > Ahhh, that wouldn't help :-). > hhhmmm :-)
This rule with source the ip of the external interface.... but NAT is applied before filtering... So all my outgoing traffic which needs to be nated was accepted on outbound ! >> And NAT rules are applied before filtering rules. >> SO for traffic going from internal to external, I only have to setup a >> pass rule on the internal interface ! > > That depends whether you use 'nat pass' or not. I tend not to, as the PF > port on FreeBSD doesn't support logging for 'nat pass' presently. > I use nat without pass > A default block policy with just 'nat' requires an egress rule. > Yep... >>> From there only permitted ingress & egress flows will be permitted. >>> >> Yep... that's what I have done now. >> >> So if I want a very accurate filtering for forwarding packets, I must >> setup 2 rules every time... one pass in on the incoming interface and >> another with pass out on the outgoing interface... > > Not necessarily :-). > In my case.... it seems ! :-( > If you don't need to address translate the flow, one can use pass rules > without direction on interface groups combined with anti spoofing. > My internal networks is 192.168.x.x I have a dmz with public IP and another with private IP... > e.g > > dmz1="em1" > inside="em2" > > antispoof log quick on em1 for ..... > antispoof log quick on em2 for ..... > > pass log quick on em $UDP from <insidenets> to <dmznet> port snmp > $KS > pass log quick on em $TCP from $DMZHost to $InsideHost port > something $KSF > > One rule per flow, state created on both interfaces as not specifying > direction will match both ingress and egress flows. > I'll keep that in mind :-) >>> Whether that's a consequence of being infected with the Checkpoint >> and Pix >>> virus at an early age, I know not :-). >>> >> LOL >> >> i'm infected with Linux netfilter/iptables... :-) > > You have my deepest sympathies :-). > Thx :-) > > > Greg > > > Guillaume -- Guillaume E-mail: silencer_<at>_free-4ever_<dot>_net Blog: http://guillaume.free-4ever.net ---- Site: http://www.free-4ever.net _______________________________________________ freebsd-pf@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-pf To unsubscribe, send any mail to "[EMAIL PROTECTED]"
