thanks for clear answer ! I'd already read. not bad idea to refer every question on the list to the manuals and books or man pages, huh ?
On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov <g...@bestnet.kharkov.ua>wrote: > Why can't you read how does statefull filtration works? You'd be much > better with the full explanation of TCP handshake process, and how does > a statefull firewall fits into picture. > > On Mon, 26 Sep 2011 11:26:54 +0330 > Hassan Monfared <hmonfa...@gmail.com> wrote: > > > Hi again, > > all 6 webservers are behind FW , > > doesn't "block in on $intif" rule blocks TCP handshaking ? I mean ACK > > message must be passed on $intif, mustn't ? > > Regards, > > Hassan H. Monfared > > > > > > On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov > > <g...@bestnet.kharkov.ua>wrote: > > > > > > > > If your firewall is on the same machine as webserver -you can safely > > > use the ruleset i wrote. > > > > > > if not - you should have block in on $intif > > > > > > On Mon, 26 Sep 2011 10:40:09 +0330 > > > Hassan Monfared <hmonfa...@gmail.com> wrote: > > > > > > > thank you, > > > > is it right blocking connection initiation from inside using rule > > > > something like: > > > > block in on $if flags S/SA > > > > am I right ? > > > > > > > > Regards, > > > > Hassan H. Monfared > > > > > > > > > > > > On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov > > > > <g...@bestnet.kharkov.ua>wrote: > > > > > > > > > On Mon, 26 Sep 2011 09:48:20 +0330 > > > > > Hassan Monfared <hmonfa...@gmail.com> wrote: > > > > > > > > > > > Hi, > > > > > > Any idea for denying connection initiation to outside from > > > > > > any web server protected by PF? ( wanna block Trojans and > > > > > > reverse connections while incomming http traffic is allowed) . > > > > > > > > > > block all > > > > > pass in on $if from any to ($if) > > > > > > > > > > will block it as you wish. > > > > > > > > > > > > > > > -- > > > > > With best regards, > > > > > Gregory Edigarov
