Date: Tue, 27 Jun 2006 19:04:04 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'N. Ersen SISECI'" <siseci@gmail.com> Cc: freebsd-pf@freebsd.org Subject: RE: Keep State is not working on 6.1-RELAESE-p1 Message-ID: <000f01c69a14$13b106f0$0a00a8c0@thebeast> In-Reply-To: <44A1396C.7040708@gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> What we are looking for is to be able to pass through
> firewall with one set of rule per allowed traffic like it is
> used to be in ipf like firewalls.
>
[snip]
>
> Is there another way to securely let everything "pass
> through" firewall?
> without having to write another rule for outgoing packets.
There's a couple of ways to do this, I've used both.
Create generic tagged egress rules on the relevant firewall interfaces. Eg.
pass out log quick on int1 from any to any tagged outyougo keep
state
You only need as many egress rules as there are filtered interfaces with the
above.
Then tag ingress rules appropriately
pass in log quick on int0 $TCP from source to dest tag outyougo $KSF
Or.
If all the interfaces on the system are of the same driver family, use
interface classes combined with anti spoofing. E.g
antispoof log quick for {int0,int1,int2..... }
pass log quick on int $TCP from source to dest $KSF
If you have a mixture of interfaces, you may be able to add something like
/sbin/ifconfig fxp0 name eth0 # spit ;-)
/sbin/ifconfig fxp1 name eth1
/sbin/ifconfig bge0 name eth2
/sbin/ifconfig bge1 name eth3
to /etc/rc.early and then see can you
pass log quick on eth $TCP .... etc
Havent tried it, so YMMV.
Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000f01c69a14$13b106f0$0a00a8c0>