Date: Mon, 10 Oct 2011 14:10:53 +0700 From: Victor Sudakov <sudakov@sibptus.tomsk.ru> To: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: need help with pf configuration Message-ID: <20111010071053.GB23778@admin.sibptus.tomsk.ru> In-Reply-To: <4E91890D.7050105@gmx.com> References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com> <20111008235238.GB3136@hs1.VERBENA> <CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru> <20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru> <4E91890D.7050105@gmx.com>
next in thread | previous in thread | raw e-mail | index | archive | help
Nikos Vassiliadis wrote: > >> > >>>I have a configuration with 2 inside interfaces, 1 outside and 1 dmz > >>>interface. The traffic should be able to flow > >>> > >>>1) from inside1 to any (and back) > >>>2) from inside2 to any (and back) > >>>3) from dmz to outside only (and back). > >>> > >>>I need no details, just a general hint how to setup such security > >>>levels, preferably independent of actual IP addressses behind the > >>>interfaces (a :network macro is not always sufficient). > >> > >>You may use urpf-failed instead :network > >>urpf-failed: Any source address that fails a unicast reverse path > >>forwarding (URPF) check, i.e. packets coming in on an interface other > >>than that which holds the route back to the packet's source address. > > > >Excuse me, I do not see how this is relevant to my question (allowing > >traffic to be initiated from a more secure interface to a less secure > >interface and not vice versa). > > > > What if you combine macros and lists? > The ruleset below seems "scalable" to any number of interfaces. > > inside1 = em1 > inside2 = em2 > dmz = em0 > insides = "{" $inside1:network $inside2:network "}" The problem is, there could be several routed networks behind the inside interfaces. Not all inside networks are directly connected, and the :network macro works only for directly connected interfaces, right? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111010071053.GB23778>