Date: Tue, 11 Jul 2006 12:29:17 +0400 From: "Dmitry Andrianov" <dimas@dataart.com> To: "Michael Vince" <mv@thebeastie.org> Cc: freebsd-pf@freebsd.org Subject: RE: PF firewall rules Message-ID: <D5972F49810A69449A9EA72A4B360DC2D0A3A1@e1.universe.dart.spb>
next in thread | raw e-mail | index | archive | help
Hi. > >Why can't you filter incoming packets as they come on internal > >interface? IMHO it is more natural because you stop unwanted traffic > >early.. > > =20 > > > So your saying that to stop packets going *out* its more "natural" to=20 > type up a *block in* firewall rule to achieve the desired result, I=20 > think its is a hard point of view to argue, and this was=20 > something that=20 > was never needed with IPFilter and is probably one of its better=20 > remaining features over PF. It only depends on your personal preferences - I used IPFilter for about 4 years before switching to pf and I was using exactly the same approach there - the "pass out ... keep state" used to allow all outbound traffic while routed was making its decisions solely on inbound packets. > So to block to block IP 192.168.1.17 from connecting *out* to=20 > anything=20 > on the internet I have to use a "block in" statement and there is no=20 > other way of doing this rule? > block in quick on $int_if proto { tcp, udp, icmp } from=20 > 192.168.1.17 to any Even block in quick on $int_if from 192.168.1.17 to any Why not? If you need allow this host connecting to gateway itself, you may use "pass in quick" rules before that one. Or vice versa - you can use block in on $int_if from 192.168.1.17 to any (without "quick") and then allow only some destinations/protocols. And finally you can tag your packets and then decide whenever to pass that packet on not based on tags. Regards, Dmitry Andrianov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2D0A3A1>