The fist question is probably stupidly simple if you know the internals.

If I have a (non-quick) ipf rule blocking a packet on the incoming side,
will a rule on the outgoing side "see" that packet, i.e., is it possible
to over-rule the "block in" decision with a "pass out" rule?


If not (which I would guess to be the case), how do I best handle the following:

I have a gateway machine with (amongst others) an interface in the outside net
and another in the local DMZ net.

The rules for incoming traffic on the outside interface first block and then
pass anything to a DMZ address. This is based on the assumption that on the
servers with an interface in the DMZ, there's another instance of ipf running
which decides (on the incoming side) whether to block those packets or not.
After that, I need a rule to block the subset of the packets mentioned above
addressed to the gateway's own interface in the DMZ, because they will not be
processed by another ipf instance. And finally, I can selectively pass a
subset of those, i.e. packets from outside to selected ports of the gateway's
DMZ address.

Now the question is how to handle broad/multicasts to the DMZ net. I may
want to be able to process a subset of those on another server, where they
will be blocked and then selectively passed by the local ipf instance. But
therefore I need to let them pass on the gateway, and then the gateway's own
DMZ interface will receive them by default (which I don't want).

--
Posted automagically by a mail2news gateway at muc.de e.V.
Please direct questions, flames, donations, etc. to news-***@muc.de