Re: need help with pf configuration

On 09/10/2011 10:31, Patrick Lamaiziere wrote:
Le Sun, 9 Oct 2011 14:39:10 +0700,
Victor Sudakov <vas@xxxxxxxxxxxxxx> a écrit :

I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).

You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface
other than that which holds the route back to the packet's source

Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).
Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
FreeBSD). There is no concept of security level at all, you must specify
on each interface the traffic allowed (in input and output).

My reply was about the use of the interface:network addresses.

pf has the concept of packet tagging. So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.

Quoting pf.conf(5): "This can be used, for example, to
provide trust between interfaces and to determine if packets
have been processed by translation rules."

I think that's roughly equivalent to what the OP was asking about.



Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: Ramsgate
JID: matthew@xxxxxxxxxxxxxxxxxxxxxx Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature