On Sun, 5 Sep 2004, Mipam wrote: > If I have set state-poliy floating and i have > block in on $ext_if > pass out on $ext_if modulate state > > Then traffic incomming on $int_if will be allowed, because it may > leave through the $ext_if right? Traffic to an open port (on the pf > machine) on the $int_if > will also be accepted, and traffic which comes in on $ext_if belonging to > a connection initiated by a machine connected to the $int_if is also > allowed to pass out on $int_if right?
I believe so: best way to find out is to experiment :) > If i have set state-policy if-bound > and i wish to allow clients on the $int_if to make connections to web > servers i need to have: > > pass in on $int_if inet proto tcp from a.b.c/24 to any port 80 \ > keep state > pass out on $ext_if inet proto tcp from a.b.c/24 to any port 80 \ > modulate state Yes, as long as you're not doing NAT (see below). > I assume that filtering on outbound traffic is done before NAT? No - that's why nat (and rdr and binat) come before filtering in the ruleset: packets are first translated via NAT, then packet matching applied. So your second rule ought to be: pass out on $ext_if inet proto tcp from $ext_if_ip_addr to any port 80 \ keep state > Above would be correct? > Suppose with the same state-policy if-bound and i wish to allow > traffic to an internal webserver: > > pass in on $ext_if inet proto tcp from any to any port 80 flags S/SA \ > synproxy state > pass out on $int_if inet proto tcp from any port 80 to any keep state second rule should be "... from any to any port 80...", although I'd advise using a specific network rather than 'any' in both rules (i.e. from any to a.b.c/24 port 80). I'm sure there are many more subtleties other people can offer, I'm just replying with what I know because no-one else has yet :) Oliver. -- Oliver Humpage ICT Co-ordinator, Watershed Media Centre -- +44 (0)117 9276444 E-mails received are assumed to be for my attention, to do with as I wish. No responsibility is accepted if communications are sent to me in error. This disclaimer has as much legal status as yours.