Date: Tue, 23 Jun 2009 17:58:00 -0700 From: Fire walls <fayerwall@gmail.com> To: freebsd-pf@freebsd.org Subject: Understanding the keep state? Message-ID: <b61774460906231758h172e2258gab1b6d6a948d65f1@mail.gmail.com>
next in thread | raw e-mail | index | archive | help
Hi people. I start working with pf in freebsd 7.2. Is working, but I have some doubts that I would like someone to clarify me. My home network is the classic one, 2 nics: Nic1 --> ng0 Public IP PPPoE Nic2 --> sis0 My Home network. All my clients like winboxes, linux and bsd OS receive the IP from my firewall. If someone try to access to the outside they reach the Nic2 and them Nic1 and done they can access the outside. The keep state function is to track each connection, in my case I prefer to open just the ports I need, example the www. Nic1 --> ExtIF Nic2 --> IntIF LOCALLAN= 192.168.50.0/24 *Nat Rule nat on $ExtIF inet from $LOCALLAN to any -> ($ExtIF) *LAN Rule pass in quick on $IntIF proto tcp from $LOCALLAN to any port 80 flags S/SA *Firewall Rule pass out quick on $ExtIF proto tcp from any to any port 80 flags S/SA keep state label "Internet Browsing http" In my case, anyone who need access to the outside(www) they first reach the "LAN Rule", them the IntIF detect that they need are trying to access a IP that is not in his site, them that nic forward the package to the next gate in this case the ExtIF and touch the "Firewall Rule". Working this way, where is the best way to put the "keep state" statement, in the "LAN Rules" or in the "Firewall Rules" or in both parts? Thanks all for your help, if Im doing this the wrong way please let me know, I want to get a deep understanding of pf. -- :-)
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?b61774460906231758h172e2258gab1b6d6a948d65f1>