Date: Tue, 11 Jul 2006 13:54:45 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Michael VInce'" <mv@thebeastie.org> Cc: freebsd-pf@freebsd.org Subject: RE: PF firewall rules Message-ID: <001801c6a4e9$2f8bbca0$0a00a8c0@thebeast> In-Reply-To: <44B396C3.90205@thebeastie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
> > I did mention it a few times but I suppose I wasn't clear > about it, but I really do want to use "single line firewall > rules", and the only way to do this is to keep state, if > there are other ways/rules to have really flexible firewall > but still with stateful inspection with a small amount of > rules I would like to see them. Yes, RTFMP on tag and tagged. Create generic egress rules on all the filtered interfaces with 'tagged' E.g pass out on {int1,int2,int3} $TCP to any tagged through $KSF use tag on ingress rules as appropriate. E.g pass in on int1 $TCP from a to b tag through $KSF Or.. in an environment with no nat, use interface classes on bidirectional rules combined with anti spoofing. Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c6a4e9$2f8bbca0$0a00a8c0>