Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 09 Oct 2011 14:44:13 +0300
From:      Nikos Vassiliadis <>
To:        Victor Sudakov <>,  FreeBSD Questions <>
Subject:   Re: need help with pf configuration
Message-ID:  <>
In-Reply-To: <>
References:  <>	<20111008235238.GB3136@hs1.VERBENA>	<>	<20111009015141.GA60380@hs1.VERBENA>	<>	<> <>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help
On 10/9/2011 10:39 AM, Victor Sudakov wrote:
> Patrick Lamaiziere wrote:
>>> I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
>>> interface. The traffic should be able to flow
>>> 1) from inside1 to any (and back)
>>> 2) from inside2 to any (and back)
>>> 3) from dmz to outside only (and back).
>>> I need no details, just a general hint how to setup such security
>>> levels, preferably independent of actual IP addressses behind the
>>> interfaces (a :network macro is not always sufficient).
>> You may use urpf-failed instead :network
>> urpf-failed: Any source address that fails a unicast reverse path
>> forwarding (URPF) check, i.e. packets coming in on an interface other
>> than that which holds the route back to the packet's source address.
> Excuse me, I do not see how this is relevant to my question (allowing
> traffic to be initiated from a more secure interface to a less secure
> interface and not vice versa).

What if you combine macros and lists?
The ruleset below seems "scalable" to any number of interfaces.

inside1 = em1
inside2 = em2
dmz = em0
insides = "{" $inside1:network $inside2:network "}"

pass in on $dmz from $dmz:network to any
block in on $dmz from any to $insides

This expands nicely to:
lab# pfctl -vf te
inside1 = "em1"
inside2 = "em2"
dmz = "em0"
insides = "{ em1:network em2:network }"
pass in on em0 inet from to any flags S/SA keep state
block drop in on em0 inet from any to
block drop in on em0 inet from any to

HTH, Nikos

Want to link to this message? Use this URL: <>