Angelin Lalev wrote:
Well, the short answer is: there is no keep state in the line
pass in quick on rl0 all
the dns reply you get back times out because your default rule is block
and there is nowhere in the "in" rules for rl1 that allows the reply back.
1) I have a bit of dificulty understanding your network setup - why do
you have two private networks on your external interface? May scetch in
2) Having default block can be done by adding the rules
block in all
block out all
in the op of the ruleset rather than compile in the kernel. It makes
it explicit. It also means that you can connect if no rules are
pressent - this is usefull for installing while the machine is behind
Anyway, with your pass in all rules, you have almost effectively
disabled the default block anyway.
2) For your security, in all pass rules, state "from" and "to" even if
it is "any" it makes it more explicit. Split on protocols for
security and control.
3) At least when setting up your firewall, use "log" in all block rules
and enable ipmon, then you can see where your packets are blocked.
4) Use groups to structure your rules, and group them accordingly
visually. It makes them easier to manage and for large rulesets
optimises the firewall.
5) Always keep state! Doing so, all "out" rules only apply to the
gateway itself, it makes the ruleset shorter and firewall faster.
6) You probably want to enable the ftp-proxy in your nat-rule and define
which port-ranges are used for nat'ed connections.
and a lot more you'll learn along the way :-)
Ph: +34.666334818 web: http://www.locolomo.org
S/MIME Certificate: http://www.locolomo.org/crt/2004071206.crt
Subject ID: A9:76:7A:ED:06:95:2B:8D:48:97:CE:F2:3F:42:C8:F2:22 :DE:4C:B9
Fingerprint: 4A:E8:63:38:46:F6:9A:5D:B4:DC:29:41:3F:62:D3:0A:73 :25:67:C2