On Thursday, Mar 20, 2003, at 08:58 US/Pacific, Srebrenko Sehic wrote:
On Wed, Mar 19, 2003 at 04:23:00PM -0800, Trevor Talbot wrote:
On Wednesday, Mar 19, 2003, at 15:19 US/Pacific, Srebrenko Sehic
wrote:
block in all
block out all
## allow traffic on $ext_if to $webserver on 80/tcp and 443/tcp
pass in on $ext_if proto tcp from any to $webserver port {80, 443} \
keep state
This would not work. Why? We need to pass out on $ext_if as well
(since
pf(4) filters on both directions).
In this specific case, the "keep state" option will allow traffic back
out on $ext_if, from $webserver, provided it is related to the
original
tcp port {80, 443} traffic that triggered it. You do not need any
other
"pass out on $ext_if" rules for $webserver for this purpose.
Yeah, it would, _if_ $webserver was on $ext_if/net, but it's not. It's
on
$int_if/net.
It does not matter where $webserver is; related traffic _will_ be
allowed on $ext_if. You do need to allow traffic on $int_if as well,
since that is also blocked, but $ext_if is completely taken care of by
the state entry created by that rule.