need help with pf configuration



Colleagues,

I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
interface. The traffic should be able to flow

1) from inside1 to any (and back)
2) from inside2 to any (and back)
3) from dmz to outside only (and back).

I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient). It would be
nice to find a configuration that would scale to any number of
interfaces with different security levels.

On a Cisco PIX I would configure

outside security0
inside1 security100
inside2 security100
dmz security50

and that's it, the PIX logic would do the rest.

Thank you very much in advance for any input.

--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov@xxxxxxxxxxxxxxxx
_______________________________________________
freebsd-questions@xxxxxxxxxxx mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-questions
To unsubscribe, send any mail to "freebsd-questions-unsubscribe@xxxxxxxxxxx"



Relevant Pages

  • [UNIX] Ettercap Remote Root Compromise
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Ettercap is a multipurpose sniffer / ... So on interfaces where MTU is higher than 2000 you can exploit Ettercap. ... int main(int argc, char **argv) { ...
    (Securiteam)
  • Re: PIX - help with initial rules/terminology
    ... like you need three interfaces an inside, dmz, and outside. ... The 501 basicly has two interfaces. ... > Soon to be PIX ... > of the proper PIX term) all my public IPs to the PIX external NIC? ...
    (comp.security.firewalls)
  • Re: SECURITY FAILURE EVENT ID 615
    ... Security) ... > IPSec Services: IPSec Services failed to get the ... > complete list of network interfaces on the machine. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: terminating IPSec vpn on multiple interfaces
    ... to the central site with each tunnel landing on a different interfaces ... The interfaces have different security levels. ... If it is different security contexts, ...
    (comp.dcom.sys.cisco)
  • Re: [PATCH] scm: provide full privilege set via SCM_PRIVILEGE
    ... The SCM mechanism currently provides interfaces for delivering ... All of the security credential information ... a complete set of security information from the peer credential. ...
    (Linux-Kernel)