Date: Tue, 11 Jul 2006 12:29:17 +0400 From: "Dmitry Andrianov" <dimas@dataart.com> To: "Michael Vince" <mv@thebeastie.org> Cc: freebsd-pf@freebsd.org Subject: RE: PF firewall rules Message-ID: <D5972F49810A69449A9EA72A4B360DC2D0A3A1@e1.universe.dart.spb>
next in thread | raw e-mail | index | archive | help
Hi.
> >Why can't you filter incoming packets as they come on internal
> >interface? IMHO it is more natural because you stop unwanted traffic
> >early..
> > =20
> >
> So your saying that to stop packets going *out* its more "natural" to=20
> type up a *block in* firewall rule to achieve the desired result, I=20
> think its is a hard point of view to argue, and this was=20
> something that=20
> was never needed with IPFilter and is probably one of its better=20
> remaining features over PF.
It only depends on your personal preferences - I used IPFilter for about
4 years before switching to pf and I was using exactly the same approach
there - the "pass out ... keep state" used to allow all outbound traffic
while routed was making its decisions solely on inbound packets.
> So to block to block IP 192.168.1.17 from connecting *out* to=20
> anything=20
> on the internet I have to use a "block in" statement and there is no=20
> other way of doing this rule?
> block in quick on $int_if proto { tcp, udp, icmp } from=20
> 192.168.1.17 to any
Even
block in quick on $int_if from 192.168.1.17 to any
Why not? If you need allow this host connecting to gateway itself, you
may use "pass in quick" rules before that one. Or vice versa - you can
use
block in on $int_if from 192.168.1.17 to any
(without "quick") and then allow only some destinations/protocols. And
finally you can tag your packets and then decide whenever to pass that
packet on not based on tags.
Regards,
Dmitry Andrianov
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?D5972F49810A69449A9EA72A4B360DC2D0A3A1>