need help with pf configuration

Victor Sudakov vas at mpeks.tomsk.su
Mon Oct 10 07:07:40 UTC 2011


Matthew Seaman wrote:
> > 
> >>>> > > > I need no details, just a general hint how to setup such security
> >>>> > > > levels, preferably independent of actual IP addressses behind the
> >>>> > > > interfaces (a :network macro is not always sufficient).
> >>> > > 
> >>> > > You may use urpf-failed instead :network
> >>> > > urpf-failed: Any source address that fails a unicast reverse path
> >>> > > forwarding (URPF) check, i.e. packets coming in on an interface
> >>> > > other than that which holds the route back to the packet's source
> >>> > > address.
> >> > 
> >> > Excuse me, I do not see how this is relevant to my question (allowing
> >> > traffic to be initiated from a more secure interface to a less secure
> >> > interface and not vice versa).
> > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> > FreeBSD). There is no concept of security level at all, you must specify
> > on each interface the traffic allowed (in input and output).
> > 
> > My reply was about the use of the interface:network addresses.
> 
> pf has the concept of packet tagging.  So you can write a small rule to
> tag traffic crossing eg. your set of internal interfaces and then write
> one ruleset to filter all that traffic identified by tag.
> 
> Quoting pf.conf(5):  "This can be used, for example, to
>            provide trust between interfaces and to determine if packets
>            have been processed by translation rules."

I guess the tagging feature can be useful. Thank you for the hint. If
I come up with a working ruleset, I'll post it here.


-- 
Victor Sudakov,  VAS4-RIPE, VAS47-RIPN
sip:sudakov at sibptus.tomsk.ru


More information about the freebsd-questions mailing list