Re: Question on rules assosciations, natting.

[ Charset ISO-8859-1 unsupported, converting... ]
> I've got a solaris box acting as a gateway here (finally got it up).
>
> When firewalling the box off, can i treat each interface as it's own, or
> will I need to do something special for the setup due to me also natting
> with this.
>
> I've got
> le0 => internet
> le1 => lan
> le2 => Wireless AP (currently left down)
>
> Ideally, le2 is trusted, it's all open, le2, is locked down to vpn
> tunnel port (you login to a vpn run from the gateway which will then
> tunnel all your connections to the net. and le1 faces the internet, can
> I just write rules for each interface, and be done with it? or do I need
> to specially craft rules coming from my internal lan to the internet
> (and back) or will NAT intelligently handle this? Or is this
> accomplished from the keep state?

If you want to force connections to only use (le0,le2) and prevent
(le2,le1), then you can do something like this with keep state:

pass in on le2 out-via le0 proto tcp all flags S keep state

Darren