Date: Thu, 23 Jan 2003 23:20:29 +0800 From: Dung Patrick <dkt@digitalme.com> To: freebsd-security@FreeBSD.ORG, Subject: Egress filtering Message-ID: <1043335229.ca145a00dkt@digitalme.com>
next in thread | raw e-mail | index | archive | help
Hello, For the egress filtering, I would only allow my firewall to send out packet= only with the public IP of the firewall address. Not only dropping outgo= ing source address with RFC1918 address. I have a rule like this in ipfilter: block out log on dc0 from !fw_public_IP to any But I see this in my log: 192.168.0.1 (private LAN) -> a.b.c.d (an web server in Internet ) The ipfilter has drop/log packet before NAT. If it is after NAT, my source = address will be fw_public_IP and the above block rule will be skipped. Any suggestion? Regards, Patrick To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?1043335229.ca145a00dkt>