[Gllug] Firewall setup Routing

Bruce Richardson itsbruce at uklinux.net
Tue Jul 6 16:42:59 UTC 2004


On Tue, Jul 06, 2004 at 05:06:44PM +0100, Richard wrote:
> 
> That said, if anyone could let me know how they manage h.323 forwarding 
> through the (NAT) firewall, then I'd like to know. The only solution I'm 
> aware of is a gateway sitting on the (NAT) firewall, and that always 
> seemed evil to me.

Other people take the view that it's the only way that it should be
done.  That's certainly the OpenBSD philosophy and pf is generally
highly thought of as a firewall application.  They take the view that
the iptables method of adding in modules to deal with
firewall-unfriendly protocols like ftp, irc and the like makes it all
needlessly complex and can make connection tracking in particular hard
to get right and to debug.  So pf doesn't do any of that.  If you want
to do ftp through it, you run an ftp proxy.  This certainly makes
firewalling rules simpler and the proxy application that OpenBSD
provides to work with pf can be made to act rather more predicably than
some random ftp client.

-- 
Bruce

A problem shared brings the consolation that someone else is now
feeling as miserable as you.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 261 bytes
Desc: Digital signature
URL: <http://mailman.lug.org.uk/pipermail/gllug/attachments/20040706/ab098097/attachment.pgp>
-------------- next part --------------
-- 
Gllug mailing list  -  Gllug at gllug.org.uk
http://lists.gllug.org.uk/mailman/listinfo/gllug


More information about the GLLUG mailing list