On Thu, Jan 20, 2011 at 2:57 PM, Ryan McBride <[email protected]> wrote:
> On Thu, Jan 20, 2011 at 01:47:20PM +0530, Indunil Jayasooriya wrote: > > my question is that How can I exclude my firewall from being able to > doing > > it ? > > I'm really not sure why you don't want the firewall to be able to > traceroute. (hint: if you can't trust the users on your firewall to > behave responsibly with basic troubleshooting tools, you're Doing It > Wrong (tm)). I thought in this way. If I want to traceroute only from my PC, Why should I open it from firewall? That's why I asked such question. I would like to give another example.... suppose, My PC behind the firewall only wants to access a port outside. Let's say tcp port 10000 ( webmin runs on ), then, from my PC I can do administration since it is web based... So I think that firewall does NOT need access to it since I am Not going to access it from my firewall. In this way, I selectively wanted to filter traffics. so, I achieved it. I realized how to do it as well. I gained the knowledge due to your below rules. Thanks a LOT. This list is also very useful. Thanks once again. > > match out on $ext_if from $lan_net nat-to ($ext_if) > > pass in log (all) on $int_if inet proto udp from $admin_pc to !$int_if \ > port 33433 >< 33626 tag ADMIN > > pass out log on $ext_if inet proto udp from $ext_if to any \ > port 33433 >< 33626 tagged ADMIN > > Tested. worked. > > Note I've removed the 'keep state', it's not necessary to specify that > anymore. > yes, I know. Thanks a lot for the extra effort you performed. I appreciate a lot.
