Date: Thu, 21 Nov 2019 13:29:13 -0600 From: Matthew Grooms <mgrooms@shrew.net> To: freebsd-net@freebsd.org Subject: Re: pf, stateful filter and DMZ Message-ID: <4d7b48c2-8141-e2cb-596e-8a73d9e68618@shrew.net> In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> References: <20191121151041.GA93735@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
On 11/21/2019 9:10 AM, Victor Sudakov wrote: > Dear Colleagues, > > A quick question about pf from an ipfw user. > > Suppose I have three interfaces: $outside, $inside and $dmz. If I want > to block any traffic from $dmz to $inside, unless it is > > 1. Return traffic from $inside to $dmz > 2. ICMP traffic in any direction > > would these rules be sufficient? > > block in on $dmz > pass in on $dmz proto icmp > pass out on $inside Assuming a default to deny with a narrow match criteria ( using in/out & from/to ), you probably want something like the following ... # default to deny block log all # pass icmp from dmz to inside pass in log on $if_dmz proto icmpfrom $net_dmz to $net_inside pass out log on $if_inside proto icmp from $net_dmz to $net_inside # pass from inside to dmz pass in log on $if_inside from $net_inside to $net_dmz pass out log on $if_dmz from $net_inside to $net_dmz Rules will keep state by default unless you disable ( w/ no keep state ), so return packets will pass ( icmp from inside to dmz | any from dmz to inside ). You could broaden the match criteria by dropping the from/to selectors. -Matthew
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4d7b48c2-8141-e2cb-596e-8a73d9e68618>