finally I agree ;). but referring to the right document is not bad Idea ;) . I do it myself if I can. :) objective, not subjective ;)
Regards, On Mon, Sep 26, 2011 at 1:23 PM, Tomas Bodzar <tomas.bod...@gmail.com>wrote: > On Mon, Sep 26, 2011 at 10:16 AM, Hassan Monfared <hmonfa...@gmail.com> > wrote: > > thanks for clear answer ! > > I'd already read. > > not bad idea to refer every question on the list to the manuals and books > or > > man pages, huh ? > > Because nearly 95% or more was already answered in them? ;-) This is not > Linux. > > > > > On Mon, Sep 26, 2011 at 11:35 AM, Gregory Edigarov > > <g...@bestnet.kharkov.ua>wrote: > > > >> Why can't you read how does statefull filtration works? You'd be much > >> better with the full explanation of TCP handshake process, and how does > >> a statefull firewall fits into picture. > >> > >> On Mon, 26 Sep 2011 11:26:54 +0330 > >> Hassan Monfared <hmonfa...@gmail.com> wrote: > >> > >> > Hi again, > >> > all 6 webservers are behind FW , > >> > doesn't "block in on $intif" rule blocks TCP handshaking ? I mean ACK > >> > message must be passed on $intif, mustn't ? > >> > Regards, > >> > Hassan H. Monfared > >> > > >> > > >> > On Mon, Sep 26, 2011 at 11:21 AM, Gregory Edigarov > >> > <g...@bestnet.kharkov.ua>wrote: > >> > > >> > > > >> > > If your firewall is on the same machine as webserver -you can safely > >> > > use the ruleset i wrote. > >> > > > >> > > if not - you should have block in on $intif > >> > > > >> > > On Mon, 26 Sep 2011 10:40:09 +0330 > >> > > Hassan Monfared <hmonfa...@gmail.com> wrote: > >> > > > >> > > > thank you, > >> > > > is it right blocking connection initiation from inside using rule > >> > > > something like: > >> > > > block in on $if flags S/SA > >> > > > am I right ? > >> > > > > >> > > > Regards, > >> > > > Hassan H. Monfared > >> > > > > >> > > > > >> > > > On Mon, Sep 26, 2011 at 10:18 AM, Gregory Edigarov > >> > > > <g...@bestnet.kharkov.ua>wrote: > >> > > > > >> > > > > On Mon, 26 Sep 2011 09:48:20 +0330 > >> > > > > Hassan Monfared <hmonfa...@gmail.com> wrote: > >> > > > > > >> > > > > > Hi, > >> > > > > > Any idea for denying connection initiation to outside from > >> > > > > > any web server protected by PF? ( wanna block Trojans and > >> > > > > > reverse connections while incomming http traffic is allowed) . > >> > > > > > >> > > > > block all > >> > > > > pass in on $if from any to ($if) > >> > > > > > >> > > > > will block it as you wish. > >> > > > > > >> > > > > > >> > > > > -- > >> > > > > With best regards, > >> > > > > Gregory Edigarov
