[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: OpenBSD FAQ section on ipfilter shows poor example for outbound?

To: "'faq@openbsd.org'" <faq@openbsd.org>,OpenBSD misc <misc@openbsd.org>
Subject: RE: OpenBSD FAQ section on ipfilter shows poor example for outbound?
From: "Stephen Gutknecht (OBSD Misc)" <IML-OpenBSD-misc@i405.com>
Date: Tue, 21 Nov 2000 10:49:04 -0800

Thanks for the responses so far.  Sounds like there is some agreement that
the FAQ is providing a poor example.

I made a couple of mistakes in my provided replacement, here is what I would
recommend (subject to further change).  Old FAQ content:

 # and let out-going traffic out and maintain state on established
connections
 pass out on fxp0 from any to any keep state 

Replace with new:

 # and let out-going traffic out and maintain state on established
connections
 # -- The flags S on the keep state is to ensure that state tracking starts
 #    only on the first outbound packet in a tcp session. This prevents
 #    unnecessary consumption of state table entries.
 # -- The flag s only works on the tcp protocol, so three entries are
required
 #    to cover all three protocols (tcp, udp, icmp).
 pass in      quick on fxp0 proto tcp  from any to any flags S keep state
 pass in      quick on fxp0 proto udp  from any to any         keep state
 pass in      quick on fxp0 proto icmp from any to any         keep state


Note that the other change is that we are doing a "pass in" and not a "pass
out".  I suggest that "pass in" be show in the OpenBSD FAQ given that many
users are doing bridging and "pass out" is not supported.

  Stephen Gutknecht
  Renton, Washington


-----Original Message-----
From: Stephen Gutknecht (OBSD Misc) [mailto:IML-OpenBSD-misc@i405.com]
Sent: Monday, November 20, 2000 10:54 PM
To: 'faq@openbsd.org'; OpenBSD misc
Subject: OpenBSD FAQ section on ipfilter shows poor example for
outbound?


[snip]

And of course, a link to the OpenBSD FAQ section:
  http://www.openbsd.org/faq/faq6.html

The current OpenBSD FAQ shows samples with this logic for the outbound (to
Internet) packets:

  # and let out-going traffic out and maintain state on established
connections
  pass out on fxp0 from any to any keep state 

Whereas I think having this in an important FAQ ensures people start off on
the wrong foot :)  It might be best to add a little more info:

  # and let out-going traffic out and maintain state on established
connections.
  # only start the state tracking on the first packet (flag S before keep
state)
  pass out on fxp0 from any to any flag S keep state 

[snip]

Follow-Ups:
- Re: OpenBSD FAQ section on ipfilter shows poor example for outbound?
  - From: rob <europax@home.com>

Prev by Date: Re: problem installing tin-1.4.4 from the ports tree
Next by Date: Adaptec AAA-131 RAID Controller
Prev by thread: OpenBSD FAQ section on ipfilter shows poor example for outbound?
Next by thread: Re: OpenBSD FAQ section on ipfilter shows poor example for outbound?
Index(es):
- Date
- Thread