View Single Post
Old 7th February 2010
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

Yes, your assessment is correct.

I stick a label or a tag on a packet, when it enters the firewall box. For traffic initiated by your local LAN, this means the internal interface.

A rule like pass in quick on $INT inet proto tcp from $INT:network to any port $TCPservices tag OUT_ok creates a state. All traffic belonging to this state are accepted, thus also the reply packets who first enter the firewall on the external interface.
This accepting in of reply packets is taken care of by the pass out quick on $EXT tagged OUT_ok rule, which first accepts all packets with the OUT_ok tag, sends them out and because it also creates state allows them in again.

This allows you to create very simple and logical rulesets.

Tags have been in pf since 2003 IIRC but since everybody seems to copy old rulesets covered with cobwebs from the dark and dusty attics from the Internet, hardly anybody uses them. I have been advocating tags on the predecessor of these forums for about 7 years. Especially if you have to redirect traffic, using tags makes it very easy to follow.

I also group the rules by direction and interface. This makes the rules easy to understand .In most of my rule sets the pf rule optimizer has hardly anything to do

Now the question is. does it help in your case? I have no problems with visiting that forum.cartographersguild.com website and I am behind an OBSD firewall too.
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote