From owner-freebsd-pf@FreeBSD.ORG Wed Jun 24 01:24:24 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 25B45106564A for ; Wed, 24 Jun 2009 01:24:24 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: from mail-pz0-f194.google.com (mail-pz0-f194.google.com [209.85.222.194]) by mx1.freebsd.org (Postfix) with ESMTP id F0B938FC0A for ; Wed, 24 Jun 2009 01:24:23 +0000 (UTC) (envelope-from fayerwall@gmail.com) Received: by pzk32 with SMTP id 32so315065pzk.3 for ; Tue, 23 Jun 2009 18:24:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:date:message-id:subject :from:to:content-type; bh=BIAueYQF3Bp2j+JJH9y1KQf8SoOyi+Jdwz9n0iw93j0=; b=Pz8uQWZ5adfnWL9eYLMyiAJJmkUXvrJeKCzxSUdlXIHuhvvgrmPvcK+JakM2B7aXYC k9e9XuycKFDk4xli4/lq9Cg4+BDHi9PzkbAosUOS51wT6RmNDmR12rqpjEcOUBtn22V+ n62/xLYEUtZ2CjLgMyfNcZcSDR6U3lY5ljdgU= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:date:message-id:subject:from:to:content-type; b=pBhhe5yOGw6FD+HSd6am+tl/+bcIOgVE8up96un9OLJH9SMU1APZi7OS9VdfY13oMl LKo1aN/g7FusYPq+gnv40Hr3+jFFLZdqsg6uNL2CWI1cWQOji8+zN/mb7Em71ZxgP5RC DX75F5wGI9HUCyAkt0Aw8h7Mk8T47wYHfmpfM= MIME-Version: 1.0 Received: by 10.142.169.4 with SMTP id r4mr189521wfe.262.1245805081078; Tue, 23 Jun 2009 17:58:01 -0700 (PDT) Date: Tue, 23 Jun 2009 17:58:00 -0700 Message-ID: From: Fire walls To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Subject: Understanding the keep state? X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 24 Jun 2009 01:24:24 -0000 Hi people. I start working with pf in freebsd 7.2. Is working, but I have some doubts that I would like someone to clarify me. My home network is the classic one, 2 nics: Nic1 --> ng0 Public IP PPPoE Nic2 --> sis0 My Home network. All my clients like winboxes, linux and bsd OS receive the IP from my firewall. If someone try to access to the outside they reach the Nic2 and them Nic1 and done they can access the outside. The keep state function is to track each connection, in my case I prefer to open just the ports I need, example the www. Nic1 --> ExtIF Nic2 --> IntIF LOCALLAN= 192.168.50.0/24 *Nat Rule nat on $ExtIF inet from $LOCALLAN to any -> ($ExtIF) *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state label "Internet Browsing http" In my case, anyone who need access to the outside(www) they first reach the "LAN Rule", them the IntIF detect that they need are trying to access a IP that is not in his site, them that nic forward the package to the next gate in this case the ExtIF and touch the "Firewall Rule". Working this way, where is the best way to put the "keep state" statement, in the "LAN Rules" or in the "Firewall Rules" or in both parts? Thanks all for your help, if Im doing this the wrong way please let me know, I want to get a deep understanding of pf. -- :-)