NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: Problem configuring IPV6 - Kindly help



Michael David <servers.david%gmail.com@localhost> writes:

> I want to allow ALL outgoing traffic on wm0 and only allow ssh and http in
> on wm0
>
> My rules are as follows:
> *
> pass out quick on any all    *//this I believe will take care of lo0 also*
>
> pass in quick on wm0 proto tcp from any to any port = 22 keep state
> pass in quick on wm0 proto tcp from any to any port = 80 keep state*

Your basic issue is that you need to allow replies to outgoing traffic.

So, my advice:

  do not use quick.  that's a preference, but I like last match

basic setup:

  pass out keep state
  block in
  pass in port 22

so then all outgoing packets are allowed, and the pass out will set up
perflow dynamic allow rules to let replies back in.

you may also want keep frags somehow.  I'm fuzzy on the details, but in
the modern world you may see fragments coming back to dns queries due to
dnssec key records

Attachment: pgpKhoMG1bjEm.pgp
Description: PGP signature



Home | Main Index | Thread Index | Old Index