You are correct, you can only filter input packets with a bridge.
-----Original Message-----
From: Claus
To: misc@openbsd.org
Sent: 2/28/01 1:24 PM
Subject: Re: the keep state rule
Your post is a little confusing, or maybe it's just me.
The "out" rules don't work in bridging mode. It might be that the "out"
rule only applies to connection from the firewall itself. I haven't
confirmed that yet. Maybe sometime I get time to try this out.
To save space in the state table use the "flags" key word in your
rules. Just check the How-To or browse the archives there are plenty of
examples.
At 10:52 AM 02/28/2001, Maxime Longuet wrote:
>I've bridge + Ipf
>
>xl0 on my internal network
>xl1 on my routeur
>
>I've this rules
>
>pass in log quick on xl1 proto icmp from any to 193.56.133.70/32
>
>pass in quick on xl1 proto icmp from any to 193.56.133.200/32
>
>pass in quick on xl0 proto TCP/UDP all keep state
>
>block in log quick on xl1 from any to any
>
>
>But for pass out the rules pass in quick on xl0 proto TCP/UDP all keep
>state is necessary and the word keep state too. The problem is that the
>firewall crash with too many state. I've already give this question but
no
>success ...
>
|