Date: Sun, 9 Oct 2011 08:38:55 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: need help with pf configuration Message-ID: <20111009083855.0e9879f6@davenulle.org> In-Reply-To: <20111009051554.GA91440@admin.sibptus.tomsk.ru> References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com> <20111008235238.GB3136@hs1.VERBENA> <CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Sun, 9 Oct 2011 12:15:54 +0700, Victor Sudakov <vas@mpeks.tomsk.su> a écrit : > I have a configuration with 2 inside interfaces, 1 outside and 1 dmz > interface. The traffic should be able to flow > > 1) from inside1 to any (and back) > 2) from inside2 to any (and back) > 3) from dmz to outside only (and back). > > I need no details, just a general hint how to setup such security > levels, preferably independent of actual IP addressses behind the > interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. something like block in quick on $inside1 from urpf-failed to any pass in quick on $inside1 I've not tested this. Regards
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111009083855.0e9879f6>