[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: ip.forwarding and pf

To: misc_(_at_)_openbsd_(_dot_)_org
Subject: Re: ip.forwarding and pf
From: TAMONE Francois - System Engineer <Francois_(_dot_)_Tamone_(_at_)_eig6_(_dot_)_unige_(_dot_)_ch>
Date: Mon, 15 Nov 2004 18:14:06 +0100 (MET)

On Mon, 15 Nov 2004, Aaron Nichols wrote:

Sorry I was not clear enough. I do have several interfaces. I want to use
pass and block rules, but no NAT rules. This is because the internal
network has public IPs. One other network is indeed private, but has no
need to get pass the firewall.

> In your case, it sounds like you don't want ip.forwarding.
>
> If you only have one network interface in your machine and no other
> machines are routing traffic through (not to) your machine you do not
> need ip forwarding (assuming you aren't doing anything special that
> requires it, in which case you would probably know you needed it). If
> you are using NAT or bridging it's generally assumed that traffic from
> other hosts are passing through your machine and thus, you need
> ip.forwarding = 1. Forwarding simply refers to passing ip traffic
> between network interfaces (if this is an over-simplification, someone
> please correct me) and thus, bridging requires this ability.
>
> In either case, pf will work regardless of your ip.forwarding
> configuration which I think defaults to disabled (ip.forwarding = 0).
>
> Aaron
>
> Engineer <francois_(_dot_)_tamone_(_at_)_eig6_(_dot_)_unige_(_dot_)_ch> wrote:
> > Hi,
> >
> > It is not clear after several readings supposed to be central to pf
> > whether ip.forwarding must be set to 1 or not with PF. Now I am confused.
> >
> > Also in the (excellent!) book from Jacek Artymiak "Builing Firewall with
> > OpenBSD and PF":
> >
> >         if pf does bridging or NAT set ip.forwarding to 1
> >
> > But I do not do bridging and my pf.conf does not do NAT... So does it mean
> > I have to set ip.forwarding to 0 ? Is pf routing alone ?
> >
> > I remember the day of "checkpoint" where ip.forwarding wrongly set to 1
> > would bypass firewall rules.
> >
> > Is forwarding like routing ? if so why use it in bridging ? who ? what ?
> > where?...

--
Francois TAMONE - Centre Informatique
Ecole d'Ingenieurs de Geneve		     tel:+41-(22)-338 05 39
Rue de la Prairie 4			     fax:+41-(22)-338 05 33
CH-1202 Geneva SWITZERLAND, e-mail:U_(_at_)_H_(_dot_)_D_(_dot_)_C, U=tamone,H=eig,D=unige,C=ch

Follow-Ups:
- Re: ip.forwarding and pf
  - From: Jason Opperisano

References:
- ip.forwarding and pf
  - From: TAMONE Francois - System Engineer

Prev by Date: ip.forwarding and pf
Next by Date: Re: ip.forwarding and pf
Previous by thread: ip.forwarding and pf
Next by thread: Re: ip.forwarding and pf
Index(es):
- Date
- Thread

Visit your host, monkey.org