Date: Wed, 26 Mar 2008 09:31:57 -0400 From: "Kevin K" <kkutzko@teksavvy.com> To: "'Vitaliy Vladimirovich'" <artemrts@ukr.net>, "'Jeremy Chadwick'" <koitsu@freebsd.org> Cc: freebsd-pf@freebsd.org Subject: RE: Re[2]: PF rules for internal interface Message-ID: <000801c88f45$c3d76dd0$4b864970$@com> In-Reply-To: <E1JeTKi-000IsH-ED@ffe1.ukr.net> References: <20080326100030.GA79074@eos.sc1.parodius.com> <E1JeTKi-000IsH-ED@ffe1.ukr.net>
next in thread | previous in thread | raw e-mail | index | archive | help
> -----Original Message-----
> From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd-
> pf@freebsd.org] On Behalf Of Vitaliy Vladimirovich
> Sent: Wednesday, March 26, 2008 6:58 AM
> To: Jeremy Chadwick
> Cc: freebsd-pf@freebsd.org
> Subject: Re[2]: PF rules for internal interface
>
> --- Original Message --- From: Jeremy Chadwick To: Vitaliy
> Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF rules for
> internal interface > On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy
> Vladimirovich wrote: > > Hello! I have problem with restriction rules
> for my internal interface. > > ... > > Please don't stick stuff like
> this all on one line. It's impossible to > read. > > > This is my rules
> for $int_if: > > > > pass out quick on $int_if > > block in on $int_if
> > > pass in on $int_if from $mynet to any > > > > But in this situation
> computers from another subnets can ping my > > internal interface. Were
> is my mistake? Thanks in advance. > > Are these the ONLY RULES you have
> in your pf.conf? > > If not: you must remember that the deny/block in
> "block in on $int_if" > may get overridden later in the file, depending
> upon what rules past > that point are. This may be what's happening,
> assuming later rules do > not specify an interface (thus matching all
> interfaces). For
> example, > if your rules are: > > pass out quick on $int_if > block in
> on $int_if > pass in on $int_if from $mynet to any > pass in from
> $othernet to any > > In this case, the "block" will not happen when
> incoming packets from > $othernet arrive on $int_if. > > I've two
> recommendations: > > 1) Consider using "antispoof", if your concern is
> someone spoofing > packets across $int_if > > 2) Consider using these
> rules instead: > > pass in quick on $int_if from $mynet to any > pass
> out quick on $int_if from $mynet to any > block in quick on $int_if >
> {...other rules...} OK. Below my new rules within your recommendations:
> int_if="sk0" mynet="10.0.100.0/16" antispoof quick for { lo0 sk0 } pass
> in quick on $int_if from $mynet to any pass out quick on $int_if from
> any to $mynet block in quick on $int_if But it is not work. I can ping
> my server from another host not in mynet. What's wrong??
Something is wrong with your formatting in your emails. Newlines are
non-existant and your email is impossible to read. Please re-format your
emails.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?000801c88f45$c3d76dd0$4b864970$>