From owner-freebsd-pf@FreeBSD.ORG Sat Oct 26 15:36:15 2013 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTP id 2D4F2FB7 for ; Sat, 26 Oct 2013 15:36:15 +0000 (UTC) (envelope-from telbizov@gmail.com) Received: from mail-ie0-x232.google.com (mail-ie0-x232.google.com [IPv6:2607:f8b0:4001:c03::232]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by mx1.freebsd.org (Postfix) with ESMTPS id 015B223A0 for ; Sat, 26 Oct 2013 15:36:14 +0000 (UTC) Received: by mail-ie0-f178.google.com with SMTP id x13so8358467ief.23 for ; Sat, 26 Oct 2013 08:36:14 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:content-type; bh=LuKrOquMJiY7ShXMaoip5kRymU3RrMgduI7yAiokB0I=; b=U6fdIsPDCo78HfEKoepyI2HTWLWR7L5i9hCqQsY81LSB+EqtQzh10pqlILU3UGCE6k vhiWzNIKiDUiUyO71DwdR1ouUVEDLtiJWOWICG7r2gNcgtlLKopZYh3PI7WqINkPRwUL smnRSJpA81h2xCBP8oHKrFeSz0DbznUd2tKp1oYCmMeMFBQYvURe8gnSZewEDRnUJauz /luW2qugbUxZQQwy+XWAGADILo5xrEjpx0LMqXJUG9gr7Z60brC65I/m3uWk4mNovI7Q MQzv5h2j4uCmYFrHXTAqXYRdYzEIRX6uLVavlWBj9NDghRdYCfwzO1hn4+QIQpk6ugIx 1RSg== MIME-Version: 1.0 X-Received: by 10.42.189.132 with SMTP id de4mr8414869icb.35.1382801774367; Sat, 26 Oct 2013 08:36:14 -0700 (PDT) Received: by 10.50.2.101 with HTTP; Sat, 26 Oct 2013 08:36:14 -0700 (PDT) Date: Sat, 26 Oct 2013 08:36:14 -0700 Message-ID: Subject: PF sanity check From: Rumen Telbizov To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.14 X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.14 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 26 Oct 2013 15:36:15 -0000 Hello everyone, I am in the process of building a brand new PF firewall ruleset for a site which requires that we have the ability to filter between internal vlans as well as between the Internet and the vlans. I'd like to share what I have in mind and hear what people think about it and what they have done in the past. Here are a few assumptions that I made during the process: 1. I use quick rules everywhere. Early on in the ruleset I pass everything in and out on the $ext_if no state. All of the actual rules that let the traffic in or create the state out (to internet and other vlans) are bound to the vlan interface itself. So this way, effectively I only have to worry about writing one rule which is bound to the vlan interface itself and don't care if the traffic comes from the Internet or another vlan. They are to be considered equally dangerous sources of traffic. So if a packet that is to be blocked comes in from the Internet it will pass "half way through" via the external interface on its way in and then will be blocked on its way out when it hits the vlan interface. So my questions here are: - Is this a sane setup? - Is there any security risk in me allowing the traffic pass the external interface and then dropping it on the internal interface? As a side effect it turns out that pf will always send an icmp host unreachable when I have this setup regardless of the default block policy. 2. For inter-vlan traffic it will create double states for the pass rules: one state on the way the packet coming in on the source vlan interface and another out going out of the destination interface allowing the specific traffic. The question is: Is keeping two states for one connection a bad thing or is it an acceptable practice ? Here's a reproduction of the ruleset for better understanding: # ignore the $ext_if below pass quick on $ext_if no state # vlan1 pass in quick on vlan1 # outgoing state for the internet and other vlans pass out quick on vlan1 proto tcp from to 10.1.1.1 port 22 block quick on vlan1 all # vlan2 pass in quick on vlan2 pass out quick on vlan2 proto tcp from any to 10.1.2.1 port 80 block quick on vlan2 all ... block quick all All your input is highly appreciated. Thank you very much. Regards, -- Rumen Telbizov Unix Systems Administrator