PF sanity check

Rumen Telbizov telbizov at gmail.com
Sat Oct 26 15:36:15 UTC 2013 

Hello everyone,

I am in the process of building a brand new PF firewall ruleset for a site
which requires that we have the ability to filter between internal vlans as
well as between the Internet and the vlans. I'd like to share what I have
in mind and hear what people think about it and what they have done in the
past.

Here are a few assumptions that I made during the process:

1. I use quick rules everywhere. Early on in the ruleset I pass everything
in and out on the $ext_if no state. All of the actual rules that let the
traffic in or create the state out (to internet and other vlans) are bound
to the vlan interface itself. So this way, effectively I only have to worry
about writing one rule which is bound to the vlan interface itself and
don't care if the traffic comes from the Internet or another vlan. They are
to be considered equally dangerous sources of traffic. So if a packet that
is to be blocked comes in from the Internet it will pass "half way through"
via the external interface on its way in and then will be blocked on its
way out when it hits the vlan interface.

So my questions here are:
 - Is this a sane setup?
 - Is there any security risk in me allowing the traffic pass the external
interface and then dropping it on the internal interface?

As a side effect it turns out that pf will always send an icmp host
unreachable when I have this setup regardless of the default block policy.

2. For inter-vlan traffic it will create double states for the pass rules:
one state on the way the packet coming in on the source vlan interface and
another out going out of the destination interface allowing the specific
traffic.

The question is: Is keeping two states for one connection a bad thing or is
it an acceptable practice ?

Here's a reproduction of the ruleset for better understanding:

# ignore the $ext_if below
pass quick on $ext_if no state

# vlan1
pass in quick on vlan1   # outgoing state for the internet and other vlans
pass out quick on vlan1 proto tcp from <trusted> to 10.1.1.1 port 22
block quick on vlan1 all

# vlan2
pass in quick on vlan2
pass out quick on vlan2 proto tcp from any to 10.1.2.1 port 80
block quick on vlan2 all

...

block quick all


All your input is highly appreciated.
Thank you very much.

Regards,
-- 
Rumen Telbizov
Unix Systems Administrator <http://telbizov.com>

More information about the freebsd-pf mailing list