From owner-freebsd-questions@FreeBSD.ORG Sun Oct 9 05:15:59 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3551E106564A for ; Sun, 9 Oct 2011 05:15:59 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.freebsd.org (Postfix) with ESMTP id 77C218FC12 for ; Sun, 9 Oct 2011 05:15:58 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.93.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPSA id 20869492 for freebsd-questions@freebsd.org; Sun, 09 Oct 2011 12:15:56 +0700 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.3/8.14.3) with ESMTP id p995FtiN091661 for ; Sun, 9 Oct 2011 12:15:56 +0700 (OMSST) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.3/8.14.3/Submit) id p995FtKE091660 for freebsd-questions@freebsd.org; Sun, 9 Oct 2011 12:15:55 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Sun, 9 Oct 2011 12:15:54 +0700 From: Victor Sudakov To: FreeBSD Questions Message-ID: <20111009051554.GA91440@admin.sibptus.tomsk.ru> Mail-Followup-To: Victor Sudakov , FreeBSD Questions References: <20111008235238.GB3136@hs1.VERBENA> <20111009015141.GA60380@hs1.VERBENA> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20111009015141.GA60380@hs1.VERBENA> User-Agent: Mutt/1.4.2.3i Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.livejournal.com/pubkey.bml?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 Subject: need help with pf configuration X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2011 05:15:59 -0000 Colleagues, I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). It would be nice to find a configuration that would scale to any number of interfaces with different security levels. On a Cisco PIX I would configure outside security0 inside1 security100 inside2 security100 dmz security50 and that's it, the PIX logic would do the rest. Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru