pf, stateful filter and DMZ
Matthew Grooms
mgrooms at shrew.net
Thu Nov 21 19:29:31 UTC 2019
On 11/21/2019 9:10 AM, Victor Sudakov wrote:
> Dear Colleagues,
>
> A quick question about pf from an ipfw user.
>
> Suppose I have three interfaces: $outside, $inside and $dmz. If I want
> to block any traffic from $dmz to $inside, unless it is
>
> 1. Return traffic from $inside to $dmz
> 2. ICMP traffic in any direction
>
> would these rules be sufficient?
>
> block in on $dmz
> pass in on $dmz proto icmp
> pass out on $inside
Assuming a default to deny with a narrow match criteria ( using in/out &
from/to ), you probably want something like the following ...
# default to deny
block log all
# pass icmp from dmz to inside
pass in log on $if_dmz proto icmpfrom $net_dmz to $net_inside
pass out log on $if_inside proto icmp from $net_dmz to $net_inside
# pass from inside to dmz
pass in log on $if_inside from $net_inside to $net_dmz
pass out log on $if_dmz from $net_inside to $net_dmz
Rules will keep state by default unless you disable ( w/ no keep state
), so return packets will pass ( icmp from inside to dmz | any from dmz
to inside ). You could broaden the match criteria by dropping the
from/to selectors.
-Matthew
More information about the freebsd-net
mailing list