On 10/13/06, Kian Mohageri <[EMAIL PROTECTED]> wrote:
Check out the 3 articles on PF by Daniel Hartmeier (OpenBSD developer). I
found them to be very clear and concise and I'm pretty sure his explanations
will help you out.
http://www.undeadly.org
Thanks for the suggestion! One of these articles clearly explains why
two states (and not just one) need to be created for the a traffic
flow to traverse the firewall.
However, I still couldn't find any explanation on why the 'block drop
all' I mention in my first e-mail seems to return ICMPs and not just
silently drop the packets. It's a if while a 'block drop in' *will*
silently drop, a 'block drop out' will not.
I'm really keen on finding out if it is possible or not to 'block drop
in' and not return ICMP unreacheables because I want to set up pf to
do some "NetScreen-style" policying (where policies are evaluated as
they travel from one "security zone" (i.e. commonly, an interface) to
another).
I want to use pf label so that I can have something like:
block drop all
pass in on vlan1 inet all flags S/SA keep state tag FROM_DESIGNERS
pass out on vlan0 inet all flags S/SA keep state tagged FROM_DESIGNERS
block out on vlan2 inet tagged FROM_DESIGNERS
Which would enforce these policies:
1. all traffic coming from vlan1 to vlan0 is allowed
2. all traffic coming from vlan1 to vlan2 is blocked
The way I see it I have to do my blocking on the outbound interface
(maybe this is totally the wrong way to do it and I'm just being an
idiot -- if this is the case, let me know!). But I want to do my
blocking on the outbound interface and have the packets silently
*dropped*, which I can't seem to be getting right now.
So I'm trying to figure out if silently blocking with 'block drop out'
is actually possible at all and I'm just a moron who can't get it
right, or if maybe, just maybe, it turns out that there's no way to
avoid ICMP unreacheables with 'block drop out'.
I'm hoping someone knows the answer to this and can set me straight. :-)
-Martin
--
"Suburbia is where the developer bulldozes out the trees, then names
the streets after them."
--Bill Vaughan
