Date: Sun, 27 Oct 2013 01:28:47 +0200 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-pf@freebsd.org Subject: Re: PF sanity check Message-ID: <201310270128.47766.vegeta@tuxpowered.net> In-Reply-To: <CAENR%2B_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com> References: <CAENR%2B_W2UOMUkXBBJ3nOpa_nw2i5F4wm6RuxwJZJ1LNfRrSNEw@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Dnia sobota, 26 pa=C5=BAdziernika 2013 o 17:36:14 Rumen Telbizov napisa=C5= =82(a): > 1. I use quick rules everywhere. Early on in the ruleset I pass everything > in and out on the $ext_if no state. See below. > ... > 2. For inter-vlan traffic it will create double states for the pass rules: > one state on the way the packet coming in on the source vlan interface and > another out going out of the destination interface allowing the specific > traffic. >=20 > The question is: Is keeping two states for one connection a bad thing or = is > it an acceptable practice ? It's rather a requirement. A packet incoming on one interface creates a=20 different state than the same packet outgoing on other interface (even with= out=20 if-bound state policy). And you want further, reverse direction packets in= =20 connections to be matched to existing states and passed instead of traversi= ng=20 rule list or hitting the block rule. > Here's a reproduction of the ruleset for better understanding: >=20 > # ignore the $ext_if below If you want to fully ignore the interface, you can use "set skip" for that= =20 purpose. Although I'm not sure if NAT will work in such case, should you ne= ed=20 it. It also would be nice to set skip on the loopback interface. > pass quick on $ext_if no state This rule passes the traffic both directions, so it's probably fine. Althou= gh=20 using stateful inspection would increase security a bit. > # vlan1 > pass in quick on vlan1 # outgoing state for the internet and other vlans > pass out quick on vlan1 proto tcp from <trusted> to 10.1.1.1 port 22 > block quick on vlan1 all >=20 > # vlan2 > pass in quick on vlan2 > pass out quick on vlan2 proto tcp from any to 10.1.2.1 port 80 > block quick on vlan2 all > ... >=20 > block quick all >=20 =20 =2D-=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?201310270128.47766.vegeta>