Date: Wed, 28 Jul 1999 10:14:27 +0200 From: Alain Thivillon <Alain.Thivillon@hsc.fr> To: Scott Taylor <staylor@graphicexpress.net> Cc: freebsd-ipfw@freebsd.org Subject: Re: reflexive access lists? Message-ID: <19990728101427.E28741@yoko.hsc.fr> In-Reply-To: <379DED83.70D4B4BE@graphicexpress.net>; from Scott Taylor on Tue, Jul 27, 1999 at 11:33:55AM -0600 References: <379DED83.70D4B4BE@graphicexpress.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Scott Taylor <staylor@graphicexpress.net> écrivait (wrote) : > One of the rules that I have in the access lists on my cisco routers > that I wish I could setup of my freebsd box are reflexive access lists. > I'd love to be able to allow packets that are replies to requests from > my machine be automatically allowed without allowing such a blanket ipfilter use "keep state" to store information about sessions and open up dynamically tcp, udp and even icmp 'reflexive' flow. If i want enable all outgoing connections from my box, and block everything else (warning, this will be a very bas setup if this box is a router): pass out quick on lo0 from any to any pass in quick on lo0 from any to any block in log quick from any to any with ipopts block in log quick proto tcp from any to any with short pass out quick proto tcp from any to any keep state pass out quick proto udp from any to any keep state pass out quick proto icmp from any to any keep state block return-rst in log quick proto tcp from any to any block return-icmp(port-unr) in log quick proto udp from any to any block return-icmp(13) in log from any to any To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-ipfw" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?19990728101427.E28741>