From owner-freebsd-questions@FreeBSD.ORG  Sun Oct  9 09:27:58 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id D04FD106564A
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 09:27:58 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147])
	by mx1.freebsd.org (Postfix) with ESMTP id 8F0298FC12
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 09:27:58 +0000 (UTC)
Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10])
	by smtp.lamaiziere.net (Postfix) with ESMTP id 8FACEFAA2C87;
	Sun,  9 Oct 2011 11:27:57 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by baby-jane.lamaiziere.net (Postfix) with ESMTP id 75F3E2CEC1E;
	Sun,  9 Oct 2011 11:31:09 +0200 (CEST)
Date: Sun, 9 Oct 2011 11:31:06 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: Victor Sudakov <vas@mpeks.tomsk.su>
Message-ID: <20111009113106.3848a1cb@davenulle.org>
In-Reply-To: <20111009073910.GB92531@admin.sibptus.tomsk.ru>
References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com>
	<20111008235238.GB3136@hs1.VERBENA>
	<CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com>
	<20111009015141.GA60380@hs1.VERBENA>
	<20111009051554.GA91440@admin.sibptus.tomsk.ru>
	<20111009083855.0e9879f6@davenulle.org>
	<20111009073910.GB92531@admin.sibptus.tomsk.ru>
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.1; i386-portbld-freebsd8.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: need help with pf configuration
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2011 09:27:58 -0000

Le Sun, 9 Oct 2011 14:39:10 +0700,
Victor Sudakov <vas@mpeks.tomsk.su> a écrit :

> > > I need no details, just a general hint how to setup such security
> > > levels, preferably independent of actual IP addressses behind the
> > > interfaces (a :network macro is not always sufficient).
> > 
> > You may use urpf-failed instead :network
> > urpf-failed: Any source address that fails a unicast reverse path
> > forwarding (URPF) check, i.e. packets coming in on an interface
> > other than that which holds the route back to the packet's source
> > address.
> 
> Excuse me, I do not see how this is relevant to my question (allowing
> traffic to be initiated from a more secure interface to a less secure
> interface and not vice versa).

Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
FreeBSD). There is no concept of security level at all, you must specify
on each interface the traffic allowed (in input and output).

My reply was about the use of the interface:network addresses.

Regards.