need help with pf configuration

Matthew Seaman m.seaman at infracaninophile.co.uk
Sun Oct 9 11:26:28 UTC 2011


On 09/10/2011 10:31, Patrick Lamaiziere wrote:
> Le Sun, 9 Oct 2011 14:39:10 +0700,
> Victor Sudakov <vas at mpeks.tomsk.su> a écrit :
> 
>>>> > > > I need no details, just a general hint how to setup such security
>>>> > > > levels, preferably independent of actual IP addressses behind the
>>>> > > > interfaces (a :network macro is not always sufficient).
>>> > > 
>>> > > You may use urpf-failed instead :network
>>> > > urpf-failed: Any source address that fails a unicast reverse path
>>> > > forwarding (URPF) check, i.e. packets coming in on an interface
>>> > > other than that which holds the route back to the packet's source
>>> > > address.
>> > 
>> > Excuse me, I do not see how this is relevant to my question (allowing
>> > traffic to be initiated from a more secure interface to a less secure
>> > interface and not vice versa).
> Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> FreeBSD). There is no concept of security level at all, you must specify
> on each interface the traffic allowed (in input and output).
> 
> My reply was about the use of the interface:network addresses.

pf has the concept of packet tagging.  So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.

Quoting pf.conf(5):  "This can be used, for example, to
           provide trust between interfaces and to determine if packets
           have been processed by translation rules."

I think that's roughly equivalent to what the OP was asking about.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew at infracaninophile.co.uk               Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 267 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20111009/4ace8950/signature.pgp


More information about the freebsd-questions mailing list