Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 09 Oct 2011 12:26:12 +0100
From:      Matthew Seaman <>
To:        Patrick Lamaiziere <>
Cc:        Victor Sudakov <>, FreeBSD Questions <>
Subject:   Re: need help with pf configuration
Message-ID:  <>
In-Reply-To: <>
References:  <> <20111008235238.GB3136@hs1.VERBENA> <> <20111009015141.GA60380@hs1.VERBENA> <> <> <> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 09/10/2011 10:31, Patrick Lamaiziere wrote:
> Le Sun, 9 Oct 2011 14:39:10 +0700,
> Victor Sudakov <> a =E9crit :
>>>> > > > I need no details, just a general hint how to setup such secur=
>>>> > > > levels, preferably independent of actual IP addressses behind =
>>>> > > > interfaces (a :network macro is not always sufficient).
>>> > >=20
>>> > > You may use urpf-failed instead :network
>>> > > urpf-failed: Any source address that fails a unicast reverse path=

>>> > > forwarding (URPF) check, i.e. packets coming in on an interface
>>> > > other than that which holds the route back to the packet's source=

>>> > > address.
>> >=20
>> > Excuse me, I do not see how this is relevant to my question (allowin=
>> > traffic to be initiated from a more secure interface to a less secur=
>> > interface and not vice versa).
> Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> FreeBSD). There is no concept of security level at all, you must specif=
> on each interface the traffic allowed (in input and output).
> My reply was about the use of the interface:network addresses.

pf has the concept of packet tagging.  So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.

Quoting pf.conf(5):  "This can be used, for example, to
           provide trust between interfaces and to determine if packets
           have been processed by translation rules."

I think that's roughly equivalent to what the OP was asking about.



Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP:     Ramsgate
JID:               Kent, CT11 9PW

Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla -



Want to link to this message? Use this URL: <>