From owner-freebsd-questions@FreeBSD.ORG  Sun Oct  9 11:26:28 2011
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 3960F1065676
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 11:26:28 +0000 (UTC)
	(envelope-from m.seaman@infracaninophile.co.uk)
Received: from smtp.infracaninophile.co.uk (smtp6.infracaninophile.co.uk
	[IPv6:2001:8b0:151:1:3fd3:cd67:fafa:3d78])
	by mx1.freebsd.org (Postfix) with ESMTP id 9841D8FC0C
	for <freebsd-questions@freebsd.org>;
	Sun,  9 Oct 2011 11:26:27 +0000 (UTC)
Received: from seedling.black-earth.co.uk (seedling.black-earth.co.uk
	[81.187.76.163]) (authenticated bits=0)
	by smtp.infracaninophile.co.uk (8.14.5/8.14.5) with ESMTP id
	p99BQNoW077788
	(version=TLSv1/SSLv3 cipher=DHE-RSA-CAMELLIA256-SHA bits=256 verify=NO);
	Sun, 9 Oct 2011 12:26:23 +0100 (BST)
	(envelope-from m.seaman@infracaninophile.co.uk)
X-DKIM: Sendmail DKIM Filter v2.8.3 smtp.infracaninophile.co.uk p99BQNoW077788
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=infracaninophile.co.uk; s=201001-infracaninophile; t=1318159583;
	bh=eqVo+E7sZGN4RzZMDVvlzKDgQX3h1lHzSv/VZNp6mCQ=;
	h=Message-ID:Date:From:MIME-Version:To:CC:Subject:References:
	In-Reply-To:Content-Type:Cc:Content-Type:Date:From:In-Reply-To:
	Message-ID:Mime-Version:References:To;
	z=Message-ID:=20<4E9184D4.50303@infracaninophile.co.uk>|Date:=20Sun
	,=2009=20Oct=202011=2012:26:12=20+0100|From:=20Matthew=20Seaman=20
	<m.seaman@infracaninophile.co.uk>|User-Agent:=20Mozilla/5.0=20(Mac
	intosh=3B=20Intel=20Mac=20OS=20X=2010.6=3B=20rv:7.0.1)=20Gecko/201
	10929=20Thunderbird/7.0.1|MIME-Version:=201.0|To:=20Patrick=20Lama
	iziere=20<patfbsd@davenulle.org>|CC:=20Victor=20Sudakov=20<vas@mpe
	ks.tomsk.su>,=20=0D=0A=20FreeBSD=20Questions=20<freebsd-questions@
	freebsd.org>|Subject:=20Re:=20need=20help=20with=20pf=20configurat
	ion|References:=20<CAEZdUGikPzsN=3Dq-m_szHJCGxGT81UGA7Lbd7remTDdiq
	M5p3og@mail.gmail.com>=20<20111008235238.GB3136@hs1.VERBENA>=20<CA
	EZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com>=
	20<20111009015141.GA60380@hs1.VERBENA>=20<20111009051554.GA91440@a
	dmin.sibptus.tomsk.ru>=20<20111009083855.0e9879f6@davenulle.org>=2
	0<20111009073910.GB92531@admin.sibptus.tomsk.ru>=20<20111009113106
	.3848a1cb@davenulle.org>|In-Reply-To:=20<20111009113106.3848a1cb@d
	avenulle.org>|X-Enigmail-Version:=201.3.2|OpenPGP:=20id=3D60AE908C
	|Content-Type:=20multipart/signed=3B=20micalg=3Dpgp-sha1=3B=0D=0A=
	20protocol=3D"application/pgp-signature"=3B=0D=0A=20boundary=3D"--
	----------enig0CCDAFEDAA9CB3B74878A8DC";
	b=AzgBo3UdlS6W73xDzq4m9Egwb3ftqsnBqk2/2vxUSStXghlUhfSNrOFCHhNIx5S6p
	dxISS27kXlM3KXOUgvzr4aZbV2KUaxt+c7+JWvf/Z0z7cDMCmMpn5WCrQheKPRnfQq
	mslRK35Y4b5p26bs1svR+poewjxCU7lQNBpghTmk=
Message-ID: <4E9184D4.50303@infracaninophile.co.uk>
Date: Sun, 09 Oct 2011 12:26:12 +0100
From: Matthew Seaman <m.seaman@infracaninophile.co.uk>
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6;
	rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
To: Patrick Lamaiziere <patfbsd@davenulle.org>
References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com>
	<20111008235238.GB3136@hs1.VERBENA>
	<CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com>
	<20111009015141.GA60380@hs1.VERBENA>
	<20111009051554.GA91440@admin.sibptus.tomsk.ru>
	<20111009083855.0e9879f6@davenulle.org>
	<20111009073910.GB92531@admin.sibptus.tomsk.ru>
	<20111009113106.3848a1cb@davenulle.org>
In-Reply-To: <20111009113106.3848a1cb@davenulle.org>
X-Enigmail-Version: 1.3.2
OpenPGP: id=60AE908C
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="------------enig0CCDAFEDAA9CB3B74878A8DC"
X-Virus-Scanned: clamav-milter 0.97.2 at lucid-nonsense.infracaninophile.co.uk
X-Virus-Status: Clean
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,SPF_FAIL autolearn=no version=3.3.2
X-Spam-Checker-Version: SpamAssassin 3.3.2 (2011-06-06) on
	lucid-nonsense.infracaninophile.co.uk
Cc: Victor Sudakov <vas@mpeks.tomsk.su>,
	FreeBSD Questions <freebsd-questions@freebsd.org>
Subject: Re: need help with pf configuration
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Sun, 09 Oct 2011 11:26:28 -0000

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enig0CCDAFEDAA9CB3B74878A8DC
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 09/10/2011 10:31, Patrick Lamaiziere wrote:
> Le Sun, 9 Oct 2011 14:39:10 +0700,
> Victor Sudakov <vas@mpeks.tomsk.su> a =E9crit :
>=20
>>>> > > > I need no details, just a general hint how to setup such secur=
ity
>>>> > > > levels, preferably independent of actual IP addressses behind =
the
>>>> > > > interfaces (a :network macro is not always sufficient).
>>> > >=20
>>> > > You may use urpf-failed instead :network
>>> > > urpf-failed: Any source address that fails a unicast reverse path=

>>> > > forwarding (URPF) check, i.e. packets coming in on an interface
>>> > > other than that which holds the route back to the packet's source=

>>> > > address.
>> >=20
>> > Excuse me, I do not see how this is relevant to my question (allowin=
g
>> > traffic to be initiated from a more secure interface to a less secur=
e
>> > interface and not vice versa).
> Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in
> FreeBSD). There is no concept of security level at all, you must specif=
y
> on each interface the traffic allowed (in input and output).
>=20
> My reply was about the use of the interface:network addresses.

pf has the concept of packet tagging.  So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.

Quoting pf.conf(5):  "This can be used, for example, to
           provide trust between interfaces and to determine if packets
           have been processed by translation rules."

I think that's roughly equivalent to what the OP was asking about.

	Cheers,

	Matthew

--=20
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
JID: matthew@infracaninophile.co.uk               Kent, CT11 9PW


--------------enig0CCDAFEDAA9CB3B74878A8DC
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.16 (Darwin)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6RhN4ACgkQ8Mjk52CukIzhDwCfc7DSDOicC28Lu5vpBDHUw+Ss
ic0An26NBinEbRA+3Xo8gAqGjXCRo7Q/
=BjtV
-----END PGP SIGNATURE-----

--------------enig0CCDAFEDAA9CB3B74878A8DC--