From owner-freebsd-pf@FreeBSD.ORG  Tue Jul 11 12:54:49 2006
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
X-Original-To: freebsd-pf@freebsd.org
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125])
	by hub.freebsd.org (Postfix) with ESMTP id 79C9C16A4DA
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 12:54:49 +0000 (UTC)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from smtp.nildram.co.uk (smtp.nildram.co.uk [195.112.4.54])
	by mx1.FreeBSD.org (Postfix) with ESMTP id F2DC743D5C
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 12:54:48 +0000 (GMT)
	(envelope-from Greg.Hennessy@nviz.net)
Received: from gw2.local.net (unknown [62.3.210.251])
	by smtp.nildram.co.uk (Postfix) with ESMTP id 3921D2377B3
	for <freebsd-pf@freebsd.org>; Tue, 11 Jul 2006 13:54:44 +0100 (BST)
From: "Greg Hennessy" <Greg.Hennessy@nviz.net>
To: "'Michael VInce'" <mv@thebeastie.org>
Date: Tue, 11 Jul 2006 13:54:45 +0100
Keywords: freebsd-pf
Message-ID: <001801c6a4e9$2f8bbca0$0a00a8c0@thebeast>
MIME-Version: 1.0
Content-Type: text/plain;
	charset="US-ASCII"
Content-Transfer-Encoding: 7bit
X-Mailer: Microsoft Office Outlook 11
thread-index: Acak5dx40VxxuNPTSHCdmB7RjPjOrgAATUxA
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2869
In-Reply-To: <44B396C3.90205@thebeastie.org>
X-OriginalArrivalTime: 11 Jul 2006 12:54:45.0866 (UTC)
	FILETIME=[2F8BBCA0:01C6A4E9]
Cc: freebsd-pf@freebsd.org
Subject: RE: PF firewall rules
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Tue, 11 Jul 2006 12:54:49 -0000

 
> 
> I did mention it a few times but I suppose I wasn't clear 
> about it, but I really do want to use "single line firewall 
> rules", and the only way to do this is to keep state, if 
> there are other ways/rules to have really flexible firewall 
> but still with stateful inspection with a small amount of 
> rules I would like to see them.

Yes, RTFMP on tag and tagged. 

Create generic egress rules on all the filtered interfaces with 'tagged'
E.g 

pass out on {int1,int2,int3} $TCP  to any tagged through $KSF

use tag on  ingress rules as appropriate. 
E.g

pass in on int1 $TCP from a to b tag through $KSF
 
Or.. in an environment with no nat, use interface classes on bidirectional
rules combined with anti spoofing. 




Greg