On Thu, 2005-01-06 at 16:48, Jason Murray wrote:
> Hello new to the list, but not exactly new to pf.
>
> I've got a 3 interface firewall and I'm seeing what I would call strange
> behaviour. Here is the scenario. I want to allow http in from the Internet
> to a web server on an isolated segment. I have a rdr rule set up and it
> works just fine (traffic flows when no filtering is being done).
>
> If I have a rule set like the following:
>
> block log all
> antispoof quick for { lo0 $uat_if $dev_if }
> # Allow web traffic to the UAT (marlin) box.
> pass in log quick on $ext_if proto tcp from any to $marlin port { 80, 443 }
> flags S/SA keep state
<snip>
i *really* hope someone will smack me if i'm off-base here, because i'm
not sure i'm 100% clear on this...BUT...as *i* understand it, as soon as
you use "on $if" in a rule--the state that is created is if-bound even
if your state-policy is floating. so you either (a) create 2 rules, one
"pass in" for the inbound interface and one "pass out" for the outbound
interface, (b) create strict rules on the inbound interface and a single
lax rule on the outbound interface or (c) don't use the "on $if"
construct in your rules.
personally--i use (b) for internal->external rules and (a) for
external->internal rules. i always assumed that if i needed to build a
pf.conf to support an enormous number of states--i would use (c).
-j
--
"I'm having the best day of my life, and I owe it all to not going
to Church!"
--The Simpsons
