From owner-freebsd-questions@FreeBSD.ORG Mon Dec 11 04:31:09 2006 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id B993C16A415 for ; Mon, 11 Dec 2006 04:31:09 +0000 (UTC) (envelope-from koro@koro.bentala.co.id) Received: from smtp01.orion.net.id (smtp01.orion.net.id [203.84.155.157]) by mx1.FreeBSD.org (Postfix) with ESMTP id D9DA743CAF for ; Mon, 11 Dec 2006 04:29:53 +0000 (GMT) (envelope-from koro@koro.bentala.co.id) Received: from localhost (localhost [127.0.0.1]) by smtp01.orion.net.id (Postfix) with ESMTP id 1DB5123C43; Mon, 11 Dec 2006 11:37:59 +0700 (WIT) X-Virus-Scanned: amavisd-new at orion.net.id Received: from smtp01.orion.net.id ([127.0.0.1]) by localhost (smtp01.orion.net.id [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id aa4uJYmQ3TvB; Mon, 11 Dec 2006 11:37:58 +0700 (WIT) Received: from [192.168.2.231] (unknown [203.84.152.250]) by smtp01.orion.net.id (Postfix) with ESMTP id 8A34923C4F; Mon, 11 Dec 2006 11:37:58 +0700 (WIT) Date: Mon, 11 Dec 2006 11:30:06 +0700 (WIT) From: Abdullah Koro X-X-Sender: koro@pangrango.bentala.co.id To: Nathan Watson In-Reply-To: <3083783.171165792287615.JavaMail.root@cirrus> Message-ID: <20061211112722.G9462@pangrango.bentala.co.id> References: <3083783.171165792287615.JavaMail.root@cirrus> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed Cc: freebsd-questions Subject: Re: ipf stateful rules X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 11 Dec 2006 04:31:09 -0000 at the moment, i just use simple configuration that pass all traffic. nothing needed to be restrict. this is my NAT configuration sample and make it simple ;) #Jalankan NAT /sbin/natd -interface rl0 /sbin/ipfw -f flush /sbin/ipfw add divert natd all from any to any via rl0 /sbin/ipfw add pass all from any to any and the interfaces: > ifconfig rl0: flags=8843 mtu 1500 options=8 inet6 fe80::2e0:4cff:feaa:3e53%rl0 prefixlen 64 scopeid 0x1 inet 192.168.2.231 netmask 0xffffff00 broadcast 192.168.2.255 ether 00:e0:4c:aa:3e:53 media: Ethernet autoselect (100baseTX ) status: active rl1: flags=8843 mtu 1500 options=8 inet6 fe80::213:46ff:fe3a:da6f%rl1 prefixlen 64 scopeid 0x2 inet 10.1.1.1 netmask 0xffffff00 broadcast 10.1.1.255 ether 00:13:46:3a:da:6f media: Ethernet autoselect (10baseT/UTP) status: active plip0: flags=108810 mtu 1500 lo0: flags=8049 mtu 16384 inet6 ::1 prefixlen 128 inet6 fe80::1%lo0 prefixlen 64 scopeid 0x4 inet 127.0.0.1 netmask 0xff000000 regards, koro On Sun, 10 Dec 2006, Nathan Watson wrote: > Hello, > I'm running FreeBSD 6.1 with IPF/IPNAT, and I'm having a problem getting my rules to work. The problem is mainly that I want no restrictions on outbound traffic, and I'm not sure how to apply stateful filtering to that. I have the following rule (hme0 is my external interface): > > pass out quick on hme0 all > > If I change that to "pass out quick on hme0 all keep state," will that only open the port that the outbound packet was on? Are there any problems that can arise from allowing all outbound traffic? At the moment, my ruleset doesn't pass packets at all... I'm just having lots of troubles here. My ruleset is below, and everything seems to be caught by the last block all rule. Any suggestions?