On 2005-09-08 16:51, Gaby vanhegan wrote:
> On 8 Sep 2005, at 15:32, Stephan A. Rickauer wrote:
>> Gaby vanhegan wrote:
>>> $if_in="xl0"
>>> $if_out="xl1"
>>> pass in on $if_in keep state
>>> pass out on $if_out keep state
>>
>> Ok, let's stick to that example. Imagine a firewall having three
>> interfaces connecting Internet, LAN and DMZ. When I would like to
>> allow SMTP traffic to my mail server in the DMZ, from LAN _and_
>> Internet, where would you filter?
>
> Just spotted a bug. The first two lines should not have the dollars
> on them:
>
> if_in="xl0"
> if_out="xl1"
>
> As to your question, much the same as a normal firewall config set,
> but the line you would want is this (assuming your mailserver runs on
> 1.2.3.4):
>
> # Put this macro at the top
> if_dmz="xl2"
>
> # Later on in the ruleset, deny everything but smtp to the DMZ
> block in on $if_dmz keep state
> pass in on $if_dmz from any to 1.2.3.4 port smtp keep state

Wouldn't that block traffic from the SMTP-server and allow traffic
from the DMZ-net to 1.2.3.4 (which should be on that net)? Should
it not be like this?

block out on $if_dmz
pass in on { $if_lan, $if_wan } from any to 1.2.3.4 port smtp keep state

My understanding is that this will first block all traffic to the DMZ-
net, and then allow traffic coming from the LAN or Internet to pass to
the server 1.2.3.4 (which should be on the DMZ). Since we use keep state
the traffic will not be blocked by rule 1. Or is it me who
missunderstood things?

--
Erik Wikstrvm