Skip site navigation (1)Skip section navigation (2) 
Date:      Tue, 22 Mar 2005 15:42:20 +0300
From:      "Eugene M. Minkovskii" <emin@mccme.ru>
To:        "Peter N. M. Hansteen" <peter@bgnett.no>
Cc:        freebsd-questions@freebsd.org
Subject:   Re: OpenBSD's pf and traffic
Message-ID:  <20050322124220.GB3137@mccme.ru>
In-Reply-To: <86hdj36fho.fsf@amidala.datadok.no>
References:  <20050320093159.GA3213@mccme.ru> <861xaamf9t.fsf@amidala.datadok.no> <20050321071227.GA29429@mccme.ru> <86eke9fn7o.fsf@amidala.datadok.no> <20050322120451.GA3137@mccme.ru> <86hdj36fho.fsf@amidala.datadok.no>
next in thread | previous in thread | raw e-mail | index | archive | help 
On Tue, Mar 22, 2005 at 01:18:27PM +0100, Peter N. M. Hansteen wrote:
" "Eugene M. Minkovskii" <emin@mccme.ru> writes:
" 
" 
" I'd say something along the lines of 
" 
" allowed_out = "{ ssh, domain, http, https, etc... }"
" 
" pass out on $ext_if proto tcp $allowed_out label allowed-out keep state
" 
" you could differentiate among source addresses, for example by
" specifying
" 
" client1 = "{ 192.68.n.1, 192.168.n.2 }"
" client1 = "{ 192.68.n.3, 192.168.n.4 }"
" 
" client2_inports = { whatever they need }
" 
" pass out on $ext_if from $client1 to any proto tcp $allowed_out \
"      label client1 keep state
" 
" pass out on $ext_if from $client2 to any proto tcp $allowed_out \
"      label client2-out keep state
" 
" pass from any to $client2 $client2_inports label client2-in keep state
" 
" and so on. Hope this helps.

Just a moment, does it mean that your last rule allow any
incoming connections from world to clients if thay matched by
client2_inports, ANY, not only connections opened by clients?

Moreover, I read in documentation, that state table reads BEFORE
rules, and connections that opened by clients in first rule:

pass out on $ext_if from $client1 to any proto tcp $allowed_out \
     label client2 keep state

whill not marked by label client2-in because thay don't pass to
this rule. Am I right?

-- 
Sensory  yours, Eugene  Minkovskii
Сенсорно ваш,   Евгений Миньковский

Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20050322124220.GB3137>