View Single Post
  #7   (View Single Post)  
Old 12th November 2008
neurosis neurosis is offline
Fdisk Soldier
 
Join Date: Jul 2008
Posts: 69
Default

Quote:
Originally Posted by J65nko View Post
I wonder why you still would need the Linksys router if your FreeBSD box, plays for firewall/gateway
Because I dont trust my ability to make a secure firewall yet of course. Its my "onion" of security so to speak.

Quote:
Yes that would work for TCP traffic. You would need a similar rule for UDP like this
Code:
pass out quick on $ext_if inet proto udp from 10.1.10.2 to any keep state
The icmp one is similar although I would restrict that to echo requests only (used by ping ).
One other question about this rule to simplify it. can it look like this?

Code:
pass out quick on $ext_if inet proto { tcp, udp, icmp } from $int_if:10.1.10.2 \ 
to any modulate state
I want to make sure that what is so liberally allowed out is coming from that ip only on my int_if. Is $int_if:10.1.10.2 even a viable option? I added the rule in my pf.conf to use int_if:network, im just wondering how flexible that is.
Ive only seen $int_if:network in examples but I would like to limit it down a bit more.

I also would like to limit the icmp more as you said above, only to echo requests, but is that necessary for outgoing icmp from inside of my personal network? Just looking for opinions.

Also, would there be any reason to not add the quick option to this rule since I dont want any rules affecting this later on although Im not sure what they would be.

Here is the example I saw on the pf faq.

Code:
Keep state on outgoing TCP, UDP, and ICMP packets and modulate TCP ISNs:

    pass out on fxp0 proto { tcp, udp, icmp } from any \
        to any modulate state
Thanks a bunch for your help. I really appreciate it.

Last edited by neurosis; 12th November 2008 at 11:26 PM.
Reply With Quote