Matt Bettinger wrote:
Also, I would like to find out how to pass out more than just www
traffic from the DMZ. Say for instance I wanted to run some other
services or use lynx on the dmz box etc etc.
Add a "pass in on $dmz_if" rule for each type of traffic you want to permit. In your ruleset below, you're not actually allowing www traffic out from the dmz, you're allowing www traffic in and then permitting the return traffic back out (at least you would be if you were using "keep state" :)).
nat on $ext_if from {192.168.1.0/24,192.168.3.0/24} to any -> ($ext_if)> pass in quick on $ext_if proto tcp from any to $dmz_if port www
rdr on $ext_if proto tcp from any to $ext_if port www -> $web_svr port www
I think what you meant here is "... from any to $web_svr ...", not $dmz_if. You want to pass traffic destined for the web server, not for the firewall's DMZ interface address.
If put in a 'block in all' 'block out all' then my whole lan is blocked from the internet, please help as I am pretty confused at this point. Why a block in all and block out all would prevent everything forom going in or out when I have 'pass out on $ext_if all keep state' after it, is beyond me.
You haven't defined any pass rules for the internal interface. Remember, when traffic moves through a router it will enter one interface and exit on another. You need to pass traffic on both of those interfaces.
You're also going to want to make use of "keep state" on the rules that pass traffic to/from your web server. Right now traffic will make it to the web server from the outside, but the return traffic will be blocked. You'll see this happen once you put back the 'block in|out all' rules.
.joel
