need help with pf configuration
Matthew Seaman
m.seaman at infracaninophile.co.uk
Sun Oct 9 11:26:28 UTC 2011
On 09/10/2011 10:31, Patrick Lamaiziere wrote:
> Le Sun, 9 Oct 2011 14:39:10 +0700,
> Victor Sudakov <vas at mpeks.tomsk.su> a écrit :
>
>>>> > > > I need no details, just a general hint how to setup such security
>>>> > > > levels, preferably independent of actual IP addressses behind the
>>>> > > > interfaces (a :network macro is not always sufficient).
>>> > >
>>> > > You may use urpf-failed instead :network
>>> > > urpf-failed: Any source address that fails a unicast reverse path
>>> > > forwarding (URPF) check, i.e. packets coming in on an interface
>>> > > other than that which holds the route back to the packet's source
>>> > > address.
>> >
>> > Excuse me, I do not see how this is relevant to my question (allowing
>> > traffic to be initiated from a more secure interface to a less secure
>> > interface and not vice versa).
> Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> FreeBSD). There is no concept of security level at all, you must specify
> on each interface the traffic allowed (in input and output).
>
> My reply was about the use of the interface:network addresses.
pf has the concept of packet tagging. So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.
Quoting pf.conf(5): "This can be used, for example, to
provide trust between interfaces and to determine if packets
have been processed by translation rules."
I think that's roughly equivalent to what the OP was asking about.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matthew at infracaninophile.co.uk Kent, CT11 9PW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111009/4ace8950/signature.pgp
More information about the freebsd-questions
mailing list