Date: Thu, 31 Mar 2005 20:00:51 +0200 From: Michael Knudsen <none@e--molioner.dk.lh.bsd-dk.dk> To: bsd-dk@bsd-dk.dk Subject: Re: pf og (mangel på) kep state på FreeBSD 5.4 prerelease
Quoting Claus Guttesen (cguttesen@yahoo.dk):
> set state-policy; floating - states can match packets
> on any interface. As long as the packet matches a
> state entry it does not matter what interface it's
> crossing, it will pass. This is the default.
Det der er mig bekendt beregnet paa, at pakker til en forbindelse, hvor
SYN-pakken kom ind i paa e.g. fxp0, ogsaa sendes videre, hvis de kommer
ind paa e.g. fxp1.
Umiddelbart er det ogsaa min opfattelse, at pf skulle fungere paa samme
maade, som du forventer, men jeg har for nyligt oplevet et lignende
problem. Hvis du vil slippe for problemet (og ikke er nervoes for
forbindelser fra selve firewallen), kan du goere noget ala dette:
block in on $int_if
pass in on $int_if from $int_if:network to any port \
{what,ever,port} flags S/SA keep state
block in on $ext_if
pass in on $ext_if from any to bla bla bla flags S/SA keep state
pass out on $ext_if all flags S/SA keep state
pass out on $int_if all flags S/SA keep state
Dvs. default block for indgaaende trafik og default pass keep state for
udgaaende.
Mvh. Michael.
-- The Librarian gave him the kind of look other people would reserve for people who said things like `What's so bad about genocide?' -- (Terry Pratchett, Guards! Guards!)
This archive was generated by hypermail 2b30 : Wed 15 Nov 2006 - 18:24:49 CET