Date: Sun, 09 Oct 2011 12:26:12 +0100 From: Matthew Seaman <m.seaman@infracaninophile.co.uk> To: Patrick Lamaiziere <patfbsd@davenulle.org> Cc: Victor Sudakov <vas@mpeks.tomsk.su>, FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: need help with pf configuration Message-ID: <4E9184D4.50303@infracaninophile.co.uk> In-Reply-To: <20111009113106.3848a1cb@davenulle.org> References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com> <20111008235238.GB3136@hs1.VERBENA> <CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru> <20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru> <20111009113106.3848a1cb@davenulle.org>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enig0CCDAFEDAA9CB3B74878A8DC Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable On 09/10/2011 10:31, Patrick Lamaiziere wrote: > Le Sun, 9 Oct 2011 14:39:10 +0700, > Victor Sudakov <vas@mpeks.tomsk.su> a =E9crit : >=20 >>>> > > > I need no details, just a general hint how to setup such secur= ity >>>> > > > levels, preferably independent of actual IP addressses behind = the >>>> > > > interfaces (a :network macro is not always sufficient). >>> > >=20 >>> > > You may use urpf-failed instead :network >>> > > urpf-failed: Any source address that fails a unicast reverse path= >>> > > forwarding (URPF) check, i.e. packets coming in on an interface >>> > > other than that which holds the route back to the packet's source= >>> > > address. >> >=20 >> > Excuse me, I do not see how this is relevant to my question (allowin= g >> > traffic to be initiated from a more secure interface to a less secur= e >> > interface and not vice versa). > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in > FreeBSD). There is no concept of security level at all, you must specif= y > on each interface the traffic allowed (in input and output). >=20 > My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): "This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules." I think that's roughly equivalent to what the OP was asking about. Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matthew@infracaninophile.co.uk Kent, CT11 9PW --------------enig0CCDAFEDAA9CB3B74878A8DC Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG/MacGPG2 v2.0.16 (Darwin) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6RhN4ACgkQ8Mjk52CukIzhDwCfc7DSDOicC28Lu5vpBDHUw+Ss ic0An26NBinEbRA+3Xo8gAqGjXCRo7Q/ =BjtV -----END PGP SIGNATURE----- --------------enig0CCDAFEDAA9CB3B74878A8DC--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E9184D4.50303>