newbie firewall question

[<admin-f () demoney net>]

Good morning Felix...

Looks as if the rules are in the reverse order they should be. Firewalls
parse rules top to bottom. Suppose you had "allow in le0 90" and then
"deny in le0 all". The packet is compared to each rule. The first one
that allows it to pass it will. If it doesn't meet the rules allowing it
to enter, it will reach the "deny all" or "clean up rule" or whatever
you please. If in fact these rules are in the order they are, and rl0 is
the external interface, you are denying access to all packets FIRST,
without looking any further.

I don't believe it has anything to do with your nat...

Hope this helps

David DeMoney
Senior Systems / Security Engineer
Industrial Information Systems
Dallas, Texas


-----Original Message-----
From: Felix Cuello [mailto:felix () qodiga com] 
Sent: Thursday, October 10, 2002 12:37 PM
To: security-basics () securityfocus com
Subject: newbie firewall question

Hello!

   I'm configuring now a OpenBSD firewall to protect some servers and my
private lan. This openBSD are now doing dinamic NAT to provides internet
to all my office and that's works fine...

   Now, when I wrote this firewall rules in /etc/pf.conf
   [this rules are copied exactly as appears in openbsd.org page]

block in on rl0 all
pass  in on rl0 inet proto tcp from any to any port 22
pass  in on rl0 inet proto tcp from any to any port 80
pass  in on rl0 inet proto tcp from any to any port 443
pass out on rl0 all


   my office doesn't have Internet access...,

   What's wrong?, what can I read to learn this?

Thsnks a lot,

Felix
"sorry for my poor english"


---------------------------------------
 Felix Cuello
 felix () qodiga com

 Qodiga/its
 http://www.qodiga.com
 Santa Fe 882 - Piso 13 - Of."E"
 Buenos Aires, ARGENTINA