|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Adrian Buxton (Adrian.Buxton
team.ozemail.com.au)Date: Fri Jun 21 2002 - 03:35:06 CDT
> > They create states on both interfaces? Where?? The only
> rules relating
> > to this are
> >
> > pass in quick on $int_if proto tcp from $int_nets to any
> flags S keep
> > state pass in quick on $int_if proto { icmp, udp } from
> $int_nets to
> > any keep state
>
> But you also have
>
> pass out quick on $ext_if proto tcp from $ext_if to any flags
> S keep state pass out quick on $ext_if proto { icmp, udp }
> from $ext_if to any keep state
>
Okay. Accepted, and that explains what the NAT connections work. So,
essentially I have to keep state on the outbound for it to work correctly.
Bugger.
This also means that the HOWTO document has a bogus demonstration ruleset.
I'm still interested in the answers to my bridging questions. The documents
I read said the answer was to keep state on one interface only to avoid
having multiple keep state rules per interface, but from what I've just
learned you have to do that even in routed mode.
Cheers,
Adrian.
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]