[ As the sig says, please don't CC me - I'm going to see list traffic anyway ]
On Tuesday, August 10, 2004 4:13 PM, [EMAIL PROTECTED] danced on the keyboard and produced: > On 10/8/2004, "Rob" <[EMAIL PROTECTED]> wrote: > > Yes, but firewall is in default to accept ... no .. ? It's all about state. > Anyway, here is the begenning of the file now : > > pass out on fxp1 proto tcp from any to any keep state > pass out on fxp1 proto udp from any to any keep state > pass out on fxp1 proto icmp from any to any keep state > > pass out on fxp0 proto tcp from any to any keep state > pass out on fxp0 proto udp from any to any keep state > pass out on fxp0 proto icmp from any to any keep state > pass in on fxp0 proto tcp from any to any keep state > pass in on fxp0 proto udp from any to any keep state > pass in on fxp0 proto icmp from any to any keep state Maybe it's time to read the documentation on how to write rules? Try http://www.obfuscation.org/ipf/. I'd suggest something like: pass in quick on fxp0 from any to any keep state pass in quick on fxp1 proto udp from any to e.f.g.2 port = 53 pass in quick on fxp1 proto tcp from any to e.f.g.2 port = 53 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 5802 pass in quick on fxp1 proto tcp from e.f.g.2/24 to e.f.g.2 port = 5902 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 3306 pass in quick on fxp1 proto tcp from e.f.g.0/24 to e.f.g.2 port = 80 pass in quick on fxp1 proto icmp from any to e.f.g.2 pass in quick on fxp1 from any to e.f.g.3 pass in quick on fxp1 from any to e.f.g.4 pass in quick on fxp1 from any to e.f.g.5 pass in quick on fxp1 from any to e.f.g.6 block in log on fxp1 from any to any Actually, I'd probably suggest using rule groups and putting e.f.g.2 into it's own group to speed up rule processing: pass in quick on fxp0 from any to any keep state # block in quick on fxp1 from any to any head 2 # # Group 2 block in quick from any to e.f.g.2 group 2 head 20 pass in quick from any to e.f.g.3 group 2 keep state pass in quick from any to e.f.g.4 group 2 keep state pass in quick from any to e.f.g.5 group 2 keep state pass in quick from any to e.f.g.6 group 2 keep state block in log from any to any group 2 # # Group 20 pass in quick from any to any port = 53 group 20 keep state pass in quick proto tcp from e.f.g.0/24 to any port = 5902 group 20 keep state pass in quick proto tcp from e.f.g.2/24 to any port = 5902 group 20 keep state pass in quick proto tcp from e.f.g.0/24 to any port = 3306 group 20 keep state pass in quick proto tcp from e.f.g.0/24 to any port = 80 group 20 keep state pass in quick proto icmp from any to any group 20 keep state I'd also suggest you re-order the rules, with those most likely to be hit earlier than the others. It's a minor speed improvement, but it never hurts :) PLEASE - keep list traffic on the list. Email sent directly to me may be ignored utterly. -- Rob | What part of "no" was it you didn't understand?
