Re: need help with pf configuration



On 09/10/2011 10:31, Patrick Lamaiziere wrote:
Le Sun, 9 Oct 2011 14:39:10 +0700,
Victor Sudakov <vas@xxxxxxxxxxxxxx> a écrit :

I need no details, just a general hint how to setup such security
levels, preferably independent of actual IP addressses behind the
interfaces (a :network macro is not always sufficient).

You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface
other than that which holds the route back to the packet's source
address.

Excuse me, I do not see how this is relevant to my question (allowing
traffic to be initiated from a more secure interface to a less secure
interface and not vice versa).
Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
FreeBSD). There is no concept of security level at all, you must specify
on each interface the traffic allowed (in input and output).

My reply was about the use of the interface:network addresses.

pf has the concept of packet tagging. So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.

Quoting pf.conf(5): "This can be used, for example, to
provide trust between interfaces and to determine if packets
have been processed by translation rules."

I think that's roughly equivalent to what the OP was asking about.

Cheers,

Matthew

--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew@xxxxxxxxxxxxxxxxxxxxxx Kent, CT11 9PW

Attachment: signature.asc
Description: OpenPGP digital signature



Relevant Pages

  • Re: need help with pf configuration
    ... interfaces (a:network macro is not always sufficient). ... traffic to be initiated from a more secure interface to a less secure ... permit ip from any to any recv INSIDE xmit OUTSIDE keep-state ...
    (freebsd-questions)
  • Re: need help with pf configuration
    ... interfaces (a:network macro is not always sufficient). ... traffic to be initiated from a more secure interface to a less secure ... one ruleset to filter all that traffic identified by tag. ... pass in on $dmz from any to any tag FROMDMZ ...
    (freebsd-questions)
  • Re: need help with pf configuration
    ... interfaces (a:network macro is not always sufficient). ... i.e. packets coming in on an interface ... traffic to be initiated from a more secure interface to a less secure ... I come up with a working ruleset, ...
    (freebsd-questions)
  • Re: need help with pf configuration
    ... preferably independent of actual IP addressses behind the ... interfaces (a:network macro is not always sufficient). ... traffic to be initiated from a more secure interface to a less secure ...
    (freebsd-questions)
  • Terminal Server Setup
    ... description GRE Tunnel Source Interface ... input packets with dribble condition detected ... output buffer failures, ... Serial1/0 is up, line protocol is up ...
    (comp.dcom.sys.cisco)