View Single Post
  #8   (View Single Post)  
Old 14th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

I just wanted to follow up here. First off the

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state
rule did not work out for me. Ive tried it several ways.

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from ($int_if) \ 
to any modulate state
to

Code:
pass out quick on $ext_if from  ($int_if) to any modulate state
to

Code:
pass out quick on $ext_if from 10.1.10.2 to any

So far with my limited knowledge, the only way I have been able to pass through the Gateway is with this combination of rules.

Code:
ext_if="fxp0"
int_if="fxp1"
lan_hosts="{10.1.10.2 10.1.10.3}"

nat on $ext_if from { 192.168.0.1/16 } to any -> ($ext_if)

# allow traffic initiated from Router to outside
pass out quick on $ext_if from ($ext_if) to any modulate state

# allow all traffic only for connections initiated from LAN to Internet
pass in quick on $int_if from $lan_hosts to any modulate state
This allows traffic from the lan to the internet but does not allow unsolicited traffic in to my lan. This is a good starting point, but to do what I am trying to accomplish I I can modify this rule:

Code:
pass in quick on $int_if from $lan_hosts to any modulate state
to regulate what the lan is doing. Then the problem is, I want to regulate what traffic is allowed out of the Gateway

This rule:
Code:
pass out quick on $ext_if from ($ext_if) to any modulate state
It just allows all traffic initiated by itself out. Man I feel dense. This seems like it would be somewhat insecure??

I will change the above rule in to several rules to regulate what is allowed out of the gateway. My thinking is, that the rules minimally have to match the LAN rules to not break the LAN connection to the internet but what If i want to restrict the gateway separately? Is this even intelligent thinking or am I just being thick?

Last edited by neurosis; 14th November 2008 at 07:16 PM.
Reply With Quote