[ previous ] [ next ] [ threads ]
 
 From:  "Tonix (Antonio Nati)" <tonix at interazioni dot it>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Re: [m0n0wall] CARP and OUT rules
 Date:  Fri, 09 Sep 2011 09:53:47 +0200
Il 08/09/2011 21:44, Anders Hagman ha scritto:
> You are right, but not knowing exactly how ipfiler works here is a
> thought.
> The default behavior is to deny all incoming traffic and you must specify a permit rule to allow
your traffic through.
> Because the firewall is stateful it will create a dynamic rule to shortcut the filter table.
>
> so..
>
> You have to do your incoming filter anyway.
> Even if we do an outgoing filer does the firewall test it at all?
>

No, I'm quite confident you don't need any "pass in" rule.

When a "pass out" rule has been accepted, it should go in a "cache" 
table of already accepted connections, exactly like it does now. I thing 
nothing else should change.

Hope someone of monowall development can answer, but I'm pretty 
confident it will work exactly like now.

If I don't go wrong, when the FW goes in checking stage, it checks in 
cache table if connections has already been accepted, otherwise scans 
the rules table. For fw there should be no difference if rule is "pass 
in" or "pass out".

Regards,

Tonino

> BR
> Anders
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: m0n0wall dash unsubscribe at lists dot m0n0 dot ch
> For additional commands, e-mail: m0n0wall dash help at lists dot m0n0 dot ch
>
>


-- 
------------------------------------------------------------
         Inter@zioni            Interazioni di Antonio Nati
    http://www.interazioni.it      tonix at interazioni dot it
------------------------------------------------------------