need help with pf configuration
Victor Sudakov
vas at mpeks.tomsk.su
Mon Oct 10 01:49:04 UTC 2011
Patrick Lamaiziere wrote:
>
> > > > I need no details, just a general hint how to setup such security
> > > > levels, preferably independent of actual IP addressses behind the
> > > > interfaces (a :network macro is not always sufficient).
> > >
> > > You may use urpf-failed instead :network
> > > urpf-failed: Any source address that fails a unicast reverse path
> > > forwarding (URPF) check, i.e. packets coming in on an interface
> > > other than that which holds the route back to the packet's source
> > > address.
> >
> > Excuse me, I do not see how this is relevant to my question (allowing
> > traffic to be initiated from a more secure interface to a less secure
> > interface and not vice versa).
>
> Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> FreeBSD). There is no concept of security level at all, you must specify
> on each interface the traffic allowed (in input and output).
Actually you can with ipfw. The following concise ruleset should do it:
check-state
permit ip from any to any recv INSIDE xmit DMZ keep-state
permit ip from any to any recv INSIDE xmit OUTSIDE keep-state
permit ip from any to any recv DMZ xmit OUTSIDE keep-state
--
Victor Sudakov, VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru
More information about the freebsd-questions
mailing list