Date: Fri, 22 Nov 2019 13:19:50 +0700 From: Victor Sudakov <vas@sibptus.ru> To: freebsd-net@freebsd.org Subject: Re: pf, stateful filter and DMZ Message-ID: <20191122061950.GA25286@admin.sibptus.ru> In-Reply-To: <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> References: <20191121151041.GA93735@admin.sibptus.ru> <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net>
next in thread | previous in thread | raw e-mail | index | archive | help
--TB36FDmn/VVEgNH/ Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Kajetan Staszkiewicz wrote: > > A quick question about pf from an ipfw user. > >=20 > > Suppose I have three interfaces: $outside, $inside and $dmz. If I want > > to block any traffic from $dmz to $inside, unless it is=20 > >=20 > > 1. Return traffic from $inside to $dmz I think I actually meant "return traffic from $dmz_net to $inside_net".=20 >=20 > pf is a stateful firewall and you can't really skip its statefullness. > It will always allow return traffic if you allowed outgoint connection. I know that, the question is rather how to *create* the state when traffic passes from $inside_net to $dmz_net because it's permitted by default. So I just need a "pass" rule to create state, even if otherwise this rule does nothing? >=20 > > 2. ICMP traffic in any direction >=20 > Sounds like a bad idea. Why would you do it? Well, for example, if a host in $inside_net sends a UDP datagram to a host in $dmz_net which generates an ICMP port unreachable message, I want the host in $inside_net to actually receive the message. If pf is THAT stateful and smart, then this rule is not necessary. >=20 > > would these rules be sufficient? > >=20 > > block in on $dmz To be more precise, it would be block in on $dmz from any to $inside_net pass in on $dmz proto icmp from any to $inside_net pass out on $inside ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ The last rule will actually create the state for return traffic, is it correct? >=20 > For me this rather looks like you allow from $dmz to $inside but block > from $dmz to $outside.=20 Corrected above. > Rules are not "quick" so the last one matching > applies. However somebody else should verify this, I'm always only using > quick rules so I'm not 100% sure. As a person with some ipfw background, I try to take advantage of pf's features, e.g. "last match wins." Maybe it allows for more concise rules. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --TB36FDmn/VVEgNH/ Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJd134GAAoJEA2k8lmbXsY0538H/0qjjdE/3wXy2YIxbM7m3ehy IaAwcnDAEkckVZkV7f/R6Oeq+evzXV3BHCmJgzf4GS5hPoimynMHwwMRZuPBY3dB HKAUeSEFieQLwPJXLXSB79tPLfbTXpq/XmssjW3TuTnZQci7LYjSGIkjSjRO2fD2 QGdiYRWmfov/7b+hz/o2OIFnCgtpQYvSgwBPE0e6v26S5/09xbDYcFnGVZ3ypSfd RvtEw8kY2vL4ZeV9+ZPvCMcuJLWryqfA0QjnHxqL/KeQ757nJCengylmOPndUWQW Sjyiao14CR5zARm66fP0/Xh3dEk8caxdZN6ipsTK62VnWTRuqaIy0TMnObRlazU= =mOXV -----END PGP SIGNATURE----- --TB36FDmn/VVEgNH/--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20191122061950.GA25286>