On Thu, 2005-01-06 at 16:48, Jason Murray wrote: > Hello new to the list, but not exactly new to pf. > > I've got a 3 interface firewall and I'm seeing what I would call strange > behaviour. Here is the scenario. I want to allow http in from the Internet > to a web server on an isolated segment. I have a rdr rule set up and it > works just fine (traffic flows when no filtering is being done). > > If I have a rule set like the following: > > block log all > antispoof quick for { lo0 $uat_if $dev_if } > # Allow web traffic to the UAT (marlin) box. > pass in log quick on $ext_if proto tcp from any to $marlin port { 80, 443 } > flags S/SA keep state
<snip> i *really* hope someone will smack me if i'm off-base here, because i'm not sure i'm 100% clear on this...BUT...as *i* understand it, as soon as you use "on $if" in a rule--the state that is created is if-bound even if your state-policy is floating. so you either (a) create 2 rules, one "pass in" for the inbound interface and one "pass out" for the outbound interface, (b) create strict rules on the inbound interface and a single lax rule on the outbound interface or (c) don't use the "on $if" construct in your rules. personally--i use (b) for internal->external rules and (a) for external->internal rules. i always assumed that if i needed to build a pf.conf to support an enormous number of states--i would use (c). -j -- "I'm having the best day of my life, and I owe it all to not going to Church!" --The Simpsons