Date: Tue, 11 Jul 2006 13:54:45 +0100 From: "Greg Hennessy" <Greg.Hennessy@nviz.net> To: "'Michael VInce'" <mv@thebeastie.org> Cc: freebsd-pf@freebsd.org Subject: RE: PF firewall rules Message-ID: <001801c6a4e9$2f8bbca0$0a00a8c0@thebeast> In-Reply-To: <44B396C3.90205@thebeastie.org>
next in thread | previous in thread | raw e-mail | index | archive | help
>
> I did mention it a few times but I suppose I wasn't clear
> about it, but I really do want to use "single line firewall
> rules", and the only way to do this is to keep state, if
> there are other ways/rules to have really flexible firewall
> but still with stateful inspection with a small amount of
> rules I would like to see them.
Yes, RTFMP on tag and tagged.
Create generic egress rules on all the filtered interfaces with 'tagged'
E.g
pass out on {int1,int2,int3} $TCP to any tagged through $KSF
use tag on ingress rules as appropriate.
E.g
pass in on int1 $TCP from a to b tag through $KSF
Or.. in an environment with no nat, use interface classes on bidirectional
rules combined with anti spoofing.
Greg
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?001801c6a4e9$2f8bbca0$0a00a8c0>