From owner-freebsd-questions@FreeBSD.ORG Mon Oct 10 13:34:38 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 2C4E4106566B for ; Mon, 10 Oct 2011 13:34:38 +0000 (UTC) (envelope-from vas@mpeks.tomsk.su) Received: from relay2.tomsk.ru (relay2.tomsk.ru [212.73.124.8]) by mx1.freebsd.org (Postfix) with ESMTP id 6A8868FC1B for ; Mon, 10 Oct 2011 13:34:36 +0000 (UTC) X-Virus-Scanned: by clamd daemon 0.93.1 for FreeBSD at relay2.tomsk.ru Received: from admin.sibptus.tomsk.ru (account sudakov@sibptus.tomsk.ru [212.73.125.240] verified) by relay2.tomsk.ru (CommuniGate Pro SMTP 5.1.13) with ESMTPSA id 20891026 for freebsd-questions@freebsd.org; Mon, 10 Oct 2011 20:34:34 +0700 Received: from admin.sibptus.tomsk.ru (sudakov@localhost [127.0.0.1]) by admin.sibptus.tomsk.ru (8.14.3/8.14.3) with ESMTP id p9ADYXuV031982 for ; Mon, 10 Oct 2011 20:34:34 +0700 (OMSST) (envelope-from vas@mpeks.tomsk.su) Received: (from sudakov@localhost) by admin.sibptus.tomsk.ru (8.14.3/8.14.3/Submit) id p9ADYXKA031981 for freebsd-questions@freebsd.org; Mon, 10 Oct 2011 20:34:33 +0700 (NOVT) (envelope-from vas@mpeks.tomsk.su) X-Authentication-Warning: admin.sibptus.tomsk.ru: sudakov set sender to vas@mpeks.tomsk.su using -f Date: Mon, 10 Oct 2011 20:34:33 +0700 From: Victor Sudakov To: FreeBSD Questions Message-ID: <20111010133433.GA31810@admin.sibptus.tomsk.ru> Mail-Followup-To: Victor Sudakov , FreeBSD Questions References: <20111008235238.GB3136@hs1.VERBENA> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru> <20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru> <20111009113106.3848a1cb@davenulle.org> <4E9184D4.50303@infracaninophile.co.uk> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <4E9184D4.50303@infracaninophile.co.uk> User-Agent: Mutt/1.4.2.3i Organization: AO "Svyaztransneft", SibPTUS X-PGP-Key: http://www.livejournal.com/pubkey.bml?user=victor_sudakov X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 Subject: Re: need help with pf configuration X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 10 Oct 2011 13:34:38 -0000 Matthew Seaman wrote: > > > >>>> > > > I need no details, just a general hint how to setup such security > >>>> > > > levels, preferably independent of actual IP addressses behind the > >>>> > > > interfaces (a :network macro is not always sufficient). > >>> > > > >>> > > You may use urpf-failed instead :network > >>> > > urpf-failed: Any source address that fails a unicast reverse path > >>> > > forwarding (URPF) check, i.e. packets coming in on an interface > >>> > > other than that which holds the route back to the packet's source > >>> > > address. > >> > > >> > Excuse me, I do not see how this is relevant to my question (allowing > >> > traffic to be initiated from a more secure interface to a less secure > >> > interface and not vice versa). > > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in > > FreeBSD). There is no concept of security level at all, you must specify > > on each interface the traffic allowed (in input and output). > > > > My reply was about the use of the interface:network addresses. > > pf has the concept of packet tagging. So you can write a small rule to > tag traffic crossing eg. your set of internal interfaces and then write > one ruleset to filter all that traffic identified by tag. Thank you again. Tags rule! The following excerpt illustrates the concept I have tested in my lab: pass in on $dmz from any to any tag FROMDMZ pass in on $inside from any to any block out on $inside tagged FROMDMZ The second rule is required to create state for the return traffic to flow from $dmz to $inside. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:sudakov@sibptus.tomsk.ru