On 7/27/09 10:13 AM, Joseph L. Casale wrote:
I am familiar with PIX/ASA and iptables which I am seeing don't quite
share the same rules as pfSense.
If I have a vlan and or opt interface that I am routing traffic into
from the LAN interface, is there a way to write one rule on the OPT
interface such that new/established traffic from the LAN interface is
allowed back through?
On the lan interface, it seems that if I write a rule letting one host
pass a tcp port over to a host in opt1, everything else is blocked
(as expected). But same goes for the OPT interface, if I understand this
correctly, I need to write a specific rule to allow that traffic to return?
So if that's the case, how do I craft the rule such that replies only can
return, so the host in OPT can't initiate connections out to LAN even the
one host that can initiate to it?
Joseph,
Have you got an implementation in place? Are you doing any
testing? pfSense is a connection-tracking firewall, and rules by
default govern the /creation/, i.e. initiation, of connections. Data
which is part of any tracked connection passes through the firewall in
either direction. For example, if you allowed IRC and in the middle of
the day began blocking those ports, the only sure way to stop all
traffic would be a "reset states", aka wipe-out the connection tracking
table. At that point every connection must be recreated, and the rule
apply to session establishment. I don't know what policy is, and I
haven't tested WRT UDP. I am speaking directly about TCP here.
Also, put a box in place and do some testing. It's quick and easy.
You can prove most of these features via straight logical deduction.
Sincerely,
Joshua
---------------------------------------------------------------------
To unsubscribe, e-mail: support-unsubscr...@pfsense.com
For additional commands, e-mail: support-h...@pfsense.com
Commercial support available - https://portal.pfsense.org
