Why can't you read how does statefull filtration works? You'd be much better with the full explanation of TCP handshake process, and how does a statefull firewall fits into picture.
On Mon, 26 Sep 2011 11:26:54 +0330 Hassan Monfared <hmonfa...@gmail.com> wrote: > Hi again, > all 6 webservers are behind FW , > doesn't "block in on $intif" rule blocks TCP handshaking ? I mean ACK > message must be passed on $intif, mustn't ? > Regards, > Hassan H. Monfared > > > On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov > <g...@bestnet.kharkov.ua>wrote: > > > > > If your firewall is on the same machine as webserver -you can safely > > use the ruleset i wrote. > > > > if not - you should have block in on $intif > > > > On Mon, 26 Sep 2011 10:40:09 +0330 > > Hassan Monfared <hmonfa...@gmail.com> wrote: > > > > > thank you, > > > is it right blocking connection initiation from inside using rule > > > something like: > > > block in on $if flags S/SA > > > am I right ? > > > > > > Regards, > > > Hassan H. Monfared > > > > > > > > > On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov > > > <g...@bestnet.kharkov.ua>wrote: > > > > > > > On Mon, 26 Sep 2011 09:48:20 +0330 > > > > Hassan Monfared <hmonfa...@gmail.com> wrote: > > > > > > > > > Hi, > > > > > Any idea for denying connection initiation to outside from > > > > > any web server protected by PF? ( wanna block Trojans and > > > > > reverse connections while incomming http traffic is allowed) . > > > > > > > > block all > > > > pass in on $if from any to ($if) > > > > > > > > will block it as you wish. > > > > > > > > > > > > -- > > > > With best regards, > > > > Gregory Edigarov
