From owner-freebsd-pf@FreeBSD.ORG  Wed Mar 26 10:00:30 2008
Return-Path: <owner-freebsd-pf@FreeBSD.ORG>
Delivered-To: freebsd-pf@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id E3252106566B
	for <freebsd-pf@freebsd.org>; Wed, 26 Mar 2008 10:00:30 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: from mx01.sc1.parodius.com (mx01.sc1.parodius.com [72.20.106.3])
	by mx1.freebsd.org (Postfix) with ESMTP id D70648FC15
	for <freebsd-pf@freebsd.org>; Wed, 26 Mar 2008 10:00:30 +0000 (UTC)
	(envelope-from jdc@parodius.com)
Received: by mx01.sc1.parodius.com (Postfix, from userid 1000)
	id B8C411CC060; Wed, 26 Mar 2008 03:00:30 -0700 (PDT)
Date: Wed, 26 Mar 2008 03:00:30 -0700
From: Jeremy Chadwick <koitsu@freebsd.org>
To: Vitaliy Vladimirovich <artemrts@ukr.net>
Message-ID: <20080326100030.GA79074@eos.sc1.parodius.com>
References: <E1JeRMO-000DPt-Bg@ffe9.ukr.net>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <E1JeRMO-000DPt-Bg@ffe9.ukr.net>
User-Agent: Mutt/1.5.17 (2007-11-01)
Cc: freebsd-pf@freebsd.org
Subject: Re: PF rules for internal interface
X-BeenThere: freebsd-pf@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: "Technical discussion and general questions about packet filter
	\(pf\)" <freebsd-pf.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-pf>
List-Post: <mailto:freebsd-pf@freebsd.org>
List-Help: <mailto:freebsd-pf-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-pf>,
	<mailto:freebsd-pf-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Wed, 26 Mar 2008 10:00:31 -0000

On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy Vladimirovich wrote:
> Hello! I have problem with restriction rules for my internal interface.
> ...

Please don't stick stuff like this all on one line.  It's impossible to
read.

> This is my rules for $int_if:
>
>   pass out quick on $int_if
>   block in on $int_if
>   pass in on $int_if from $mynet to any
>
> But in this situation computers from another subnets can ping my
> internal interface. Were is my mistake? Thanks in advance.

Are these the ONLY RULES you have in your pf.conf?

If not: you must remember that the deny/block in "block in on $int_if"
may get overridden later in the file, depending upon what rules past
that point are.  This may be what's happening, assuming later rules do
not specify an interface (thus matching all interfaces).  For example,
if your rules are:

   pass out quick on $int_if
   block in on $int_if
   pass in on $int_if from $mynet to any
   pass in from $othernet to any

In this case, the "block" will not happen when incoming packets from
$othernet arrive on $int_if.

I've two recommendations:

1) Consider using "antispoof", if your concern is someone spoofing
   packets across $int_if 

2) Consider using these rules instead:

   pass in quick on $int_if from $mynet to any
   pass out quick on $int_if from $mynet to any
   block in quick on $int_if
   {...other rules...}

-- 
| Jeremy Chadwick                                    jdc at parodius.com |
| Parodius Networking                           http://www.parodius.com/ |
| UNIX Systems Administrator                      Mountain View, CA, USA |
| Making life hard for others since 1977.                  PGP: 4BD6C0CB |