From owner-freebsd-pf@FreeBSD.ORG Tue Jun 27 18:04:11 2006 Return-Path: X-Original-To: freebsd-pf@freebsd.org Delivered-To: freebsd-pf@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id CBB7B16A409 for ; Tue, 27 Jun 2006 18:04:11 +0000 (UTC) (envelope-from Greg.Hennessy@nviz.net) Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54]) by mx1.FreeBSD.org (Postfix) with ESMTP id 67228448F7 for ; Tue, 27 Jun 2006 18:04:11 +0000 (GMT) (envelope-from Greg.Hennessy@nviz.net) Received: from gw2.local.net (unknown [62.3.210.251]) by smtp.nildram.co.uk (Postfix) with ESMTP id 52D952382DE for ; Tue, 27 Jun 2006 19:04:01 +0100 (BST) From: "Greg Hennessy" To: "'N. Ersen SISECI'" Date: Tue, 27 Jun 2006 19:04:04 +0100 Keywords: freebsd-pf Message-ID: <000f01c69a14$13b106f0$0a00a8c0@thebeast> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 11 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869 Thread-Index: AcaZ8h3vyqlOg5BZTA23j2XTr13UJgAICQCQ In-Reply-To: <44A1396C.7040708@gmail.com> X-OriginalArrivalTime: 27 Jun 2006 18:04:04.0703 (UTC) FILETIME=[13B106F0:01C69A14] Cc: freebsd-pf@freebsd.org Subject: RE: Keep State is not working on 6.1-RELAESE-p1 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 27 Jun 2006 18:04:11 -0000 > What we are looking for is to be able to pass through > firewall with one set of rule per allowed traffic like it is > used to be in ipf like firewalls. > [snip] > > Is there another way to securely let everything "pass > through" firewall? > without having to write another rule for outgoing packets. There's a couple of ways to do this, I've used both. Create generic tagged egress rules on the relevant firewall interfaces. Eg. pass out log quick on int1 from any to any tagged outyougo keep state You only need as many egress rules as there are filtered interfaces with the above. Then tag ingress rules appropriately pass in log quick on int0 $TCP from source to dest tag outyougo $KSF Or. If all the interfaces on the system are of the same driver family, use interface classes combined with anti spoofing. E.g antispoof log quick for {int0,int1,int2..... } pass log quick on int $TCP from source to dest $KSF If you have a mixture of interfaces, you may be able to add something like /sbin/ifconfig fxp0 name eth0 # spit ;-) /sbin/ifconfig fxp1 name eth1 /sbin/ifconfig bge0 name eth2 /sbin/ifconfig bge1 name eth3 to /etc/rc.early and then see can you pass log quick on eth $TCP .... etc Havent tried it, so YMMV. Greg