From owner-freebsd-pf@FreeBSD.ORG Tue Sep 11 14:44:33 2007 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3C3C116A419 for ; Tue, 11 Sep 2007 14:44:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from elsa.codelab.cz (elsa.codelab.cz [82.208.36.70]) by mx1.freebsd.org (Postfix) with ESMTP id 0EE3813C46A for ; Tue, 11 Sep 2007 14:44:33 +0000 (UTC) (envelope-from 000.fbsd@quip.cz) Received: from localhost (localhost.codelab.cz [127.0.0.1]) by elsa.codelab.cz (Postfix) with ESMTP id C08A319E02A; Tue, 11 Sep 2007 16:28:19 +0200 (CEST) Received: from [192.168.1.2] (r3a200.net.upc.cz [213.220.192.200]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by elsa.codelab.cz (Postfix) with ESMTP id 3C54719E027; Tue, 11 Sep 2007 16:28:17 +0200 (CEST) Message-ID: <46E6A648.8080700@quip.cz> Date: Tue, 11 Sep 2007 16:29:28 +0200 From: Miroslav Lachman <000.fbsd@quip.cz> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.12) Gecko/20050915 X-Accept-Language: cz, cs, en, en-us MIME-Version: 1.0 To: jonathan michaels References: <20070911133959.25090@caamora.com.au> <20070911213841.01986@caamora.com.au> In-Reply-To: <20070911213841.01986@caamora.com.au> Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit Cc: freebsd pf Subject: Re: pf, ping and traceroute X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 11 Sep 2007 14:44:33 -0000 jonathan michaels wrote: > On Tue, Sep 11, 2007 at 02:07:45AM -0700, Kian Mohageri wrote: [...] > yes, kian, my basic problem is that english is not my first language > and i still have difficulty understanding the way that teh document is > written. Even if you are not native english speaking, please use "the" and not "teh". It is hard to read your sentences. >>Focus on understanding how the directions work (e.g. pass in vs. pass >>out) and also 'keep state.' Understanding states is critical... have >>you figured out how those work yet? > > > i think that i have .. but, i have a way to go yet i think. learning > for me is a hard process of reading and reading and reading untill i > understand it and i can get it past teh damaged bits of my brain. > > sorry, i don't have any other way of explaining what is going on. I am using PF on my servers and I am using the folowing two lines to allow incoming & outgoing pings: # Allow pings and replies while keeping state pass out quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state pass in quick on $ext_if inet proto icmp icmp-type 8 code 0 keep state Where $ext_if is ext_if="bge0" >>Are you filtering on a router? Switch? Server? > > > pentium 133 mhz that is running freebsd v6.2 and i am using the > included version pf. so i suppose that it is a server, yes ?? > > my internet connection is via a v.90 dialup modem that provides me a > permanent connected ppp style connection/account (been using some 10 > plus years). > > ext_if=ppp0 = this is teh modem, on serial (comm0/cuad0 ) port 1 > int_if=de0 = nic, accton en1203 21040 (a digital 10 mhz clone) > > this is all that that there is, so i suppose its a simple router ?? > > i am thinking of using pf to defend all teh internal machines from > stuff that makes it through the firewall, is this possible (there seems > to be nothing, that i have been able to find/understand in teh doc or > via google) ?? > > this means that i am looking at using ipfw as a secondary firewall, or > just as a filter kind of thing to keep out the stuff that is making it > through the firewall. I don't understand what do you mean... There is no reason to use more then one firewall on the machine and PF is just fine. Miroslav Lachman