From owner-freebsd-questions@FreeBSD.ORG  Sun Oct  9 06:35:47 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id F0931106566B
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 06:35:47 +0000 (UTC)
	(envelope-from patfbsd@davenulle.org)
Received: from smtp.lamaiziere.net (net.lamaiziere.net [94.23.254.147])
	by mx1.freebsd.org (Postfix) with ESMTP id B105C8FC08
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 06:35:47 +0000 (UTC)
Received: from baby-jane.lamaiziere.net (unknown [192.168.1.10])
	by smtp.lamaiziere.net (Postfix) with ESMTP id A9B80FAA2C87;
	Sun,  9 Oct 2011 08:35:45 +0200 (CEST)
Received: from localhost (localhost [127.0.0.1])
	by baby-jane.lamaiziere.net (Postfix) with ESMTP id CD5792CEC1E;
	Sun,  9 Oct 2011 08:38:57 +0200 (CEST)
Date: Sun, 9 Oct 2011 08:38:55 +0200
From: Patrick Lamaiziere <patfbsd@davenulle.org>
To: Victor Sudakov <vas@mpeks.tomsk.su>
Message-ID: <20111009083855.0e9879f6@davenulle.org>
In-Reply-To: <20111009051554.GA91440@admin.sibptus.tomsk.ru>
References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com>
	<20111008235238.GB3136@hs1.VERBENA>
	<CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com>
	<20111009015141.GA60380@hs1.VERBENA>
	<20111009051554.GA91440@admin.sibptus.tomsk.ru>
X-Mailer: Claws Mail 3.7.9 (GTK+ 2.22.1; i386-portbld-freebsd8.2)
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 8bit
Cc: FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: need help with pf configuration
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2011 06:35:48 -0000

Le Sun, 9 Oct 2011 12:15:54 +0700,
Victor Sudakov <vas@mpeks.tomsk.su> a écrit :

> I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
> interface. The traffic should be able to flow
> 
> 1) from inside1 to any (and back)
> 2) from inside2 to any (and back)
> 3) from dmz to outside only (and back).
> 
> I need no details, just a general hint how to setup such security
> levels, preferably independent of actual IP addressses behind the
> interfaces (a :network macro is not always sufficient).

You may use urpf-failed instead :network
urpf-failed: Any source address that fails a unicast reverse path
forwarding (URPF) check, i.e. packets coming in on an interface other
than that which holds the route back to the packet's source address.

something like
block in quick on $inside1 from urpf-failed to any
pass in quick on $inside1

I've not tested this.

Regards