Quoting Jim Razmus <[EMAIL PROTECTED]>: > * Jimmy Scott <[EMAIL PROTECTED]> [051113 12:35]: > > Hi misc@, > > > > I finaly had some time to rearrange my network, and split it into 3 > > parts: LAN, DMZ, WAN. > > > > Basicly, the LAN (172.20) may not access the DMZ (172.16), but host > > 172.20.1.10 can. the DMZ may not access the LAN, and both can go to the > > WAN. > > > > But for some reason, when I create state from 172.20.1.10 to 172.16.x.x; > > the packet comming back gets blocked which should not happen because the > > state would be checked first and the state really is created?! > > > > I tried setting 'set state-policy floating' explicit, but no advance. > > Someone who knows what the problem is here? I had a ruleset with a bunch > > of 'quick' rules before instead of this, but had the same problem. > > > > [diagnostics snipped] > > > > I think you might have the concept of "in" and "out" rules confused. > Visualize yourself sitting in the computer between the three interfaces. > From that perspective, "in" rules mean a packet coming from a remote > host to you through one of those interfaces. Conversely "out" rules > mean a packet leaving from the local machine to some remote host. > > Give something like this a whirl for starters. Caution, I have not > tested these! You also likely need to allow packets from the Internet > into your DMZ. > > # pf.conf > [proposed firewall rules snipped] > > > HTH, > Jim > >
Aah, I see what I did wrong, since I used in the passed 'pass all on sis2', I never realized that state creation on an 'in' will only match an 'out' for traffic in the other direction right? So for traffic from sis2 to sis1 I will need to create states on the 'in' of sis2 and states on the 'out' of sis1 if I got it right. Also thanks for your example, I will take a look at it later when I'm back home to figure things out. Kind regards, Jimmy Scott ---------------------------------------------------------------- This message has been sent through ihosting.be To report spamming or other unaccepted behavior by a iHosting customer, please send a message to [EMAIL PROTECTED] ----------------------------------------------------------------
