need help with pf configuration
Victor Sudakov
sudakov at sibptus.tomsk.ru
Mon Oct 10 08:10:58 UTC 2011
Nikos Vassiliadis wrote:
> >>
> >>>I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
> >>>interface. The traffic should be able to flow
> >>>
> >>>1) from inside1 to any (and back)
> >>>2) from inside2 to any (and back)
> >>>3) from dmz to outside only (and back).
> >>>
> >>>I need no details, just a general hint how to setup such security
> >>>levels, preferably independent of actual IP addressses behind the
> >>>interfaces (a :network macro is not always sufficient).
> >>
> >>You may use urpf-failed instead :network
> >>urpf-failed: Any source address that fails a unicast reverse path
> >>forwarding (URPF) check, i.e. packets coming in on an interface other
> >>than that which holds the route back to the packet's source address.
> >
> >Excuse me, I do not see how this is relevant to my question (allowing
> >traffic to be initiated from a more secure interface to a less secure
> >interface and not vice versa).
> >
>
> What if you combine macros and lists?
> The ruleset below seems "scalable" to any number of interfaces.
>
> inside1 = em1
> inside2 = em2
> dmz = em0
> insides = "{" $inside1:network $inside2:network "}"
The problem is, there could be several routed networks behind the
inside interfaces. Not all inside networks are directly connected, and
the :network macro works only for directly connected interfaces,
right?
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list