On Thu, 2004-08-19 at 06:51, Ilya A. Kovalenko wrote: > Good day, > > I trying to pass any outgoing TCP connections from my > office (<nPrivate>) onto campus network (<nPublic>) sites, > but block any incoming connections from campus to office. > > Can use for it, PF ruleset like this (on 2-ifaced GW > between office & campus): > -------------------------------------------- > > block in all > > block return-rst in proto tcp all > > > > pass in on lo0 all > > > > pass in from <nPublic> to <nPublic> > > pass in from <nPrivate> to <nPublic> > > pass in from <nPrivate> to <nPrivate> > > > > pass in proto tcp from <nPrivate> to <nPublic> keep state > -------------------------------------------- > > I suppose to think, that last rule would create state for > outgoing connection and pass all campus packets for it. > But it seems to does not work ... or I missed some other > factors. > Should it work ? > > Previously, I've used construction like this > > > pass in proto tcp from <nPublic> to <nPrivate> > > block in proto tcp from <nPublic> to <nPrivate> flags S/SA > > but it has security issue - public host could send spoofed > TCP packet, on which, internal host responds with RST. > So public host could perform ping-scan (by nmap, for example) > for internal network.
if that's your concern--do some anti-spoofing (there's actually a shortcut version of this in 3.5, but it's just as easy to do it manually): block in all block return-rst in proto tcp all block in quick on ! $private_if from <nPrivate> [ ... rest of rules ... ] -j =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~ Drunks are rarely amusing unless they know some good songs and lose a lot a poker. -- Karyl Roosevelt =~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~=~