OpenVPN, IPFW a NAT

Ciernik Tomas tomas at ciernik.sk
Sat Sep 5 20:49:47 CEST 2009

Previous message: OpenVPN, IPFW a NAT
Next message: OpenVPN, IPFW a NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Zbyněk Burget  wrote / napísal(a):
> Ciernik Tomas napsal(a):
>> 02010 skipto 65010 tcp from any to any out via tun3 setup keep-state
>> 02011 skipto 65010 ip from any to any out via tun3 keep-state
> ^^^^^^^^^^^^^^^                                      ^^^^^^^^^^^^^^
> 
> nejsem si jist tim, ze zrovna tohle bude fungovat - nevim, jestli se pri 
> naslednem check-state provede ten skok

Bol som v domneni, ze ten check-state nic neurobi - ziadne spojenie este 
nebolo nadviazane, takze by mal ist dalej na skipto.

> 
> Ja osobne preferuju na zacatku firewallu jednoznasne pomoci skipto 
> rozdelit veskere smerery provozu pro veskere interfaces, pak je jasne, 
> kudy packet prochazi a nebudes tam pak potrebovat takovou silenou 
> konstrukci, jakou tam mas ted.
> 
> tedy nekde na zacatku firewallu udelat neco jako
> 
> 1000 skipto 10000 all from any to any in via em1
> 1010 skipto 11000 all from any to any out via em1
> 1020 skipto 12000 all from any to any in via em2
> 1030 skipto 13000 all from any to any out via em2
> 1040 skipto 14000 all from any to any in via tun0
> 1050 skipto 15000 all from any to any out via tun0
> ...
> ...
> ...
> 
> kde pravidlo check-state bude az za prekladem

toto je dobry napad, vyskusam a dam vediet

> ...pripadne se vybodnout na stavovy firewall a pouzit firewall 
> nestavovy. Mimochodem - mas nejaky vazny duvod k pouziti stavoveho 
> firewallu?

Ako sa pozeram na logy ani nie, kazdopadne si myslim ze je lepsie 
povolit len riadne nadviazane spojenia.

> 
> 
> Zbynek

Previous message: OpenVPN, IPFW a NAT
Next message: OpenVPN, IPFW a NAT
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Users-l mailing list