Date: Sun, 9 Oct 2011 11:31:06 +0200 From: Patrick Lamaiziere <patfbsd@davenulle.org> To: Victor Sudakov <vas@mpeks.tomsk.su> Cc: FreeBSD Questions <freebsd-questions@freebsd.org> Subject: Re: need help with pf configuration Message-ID: <20111009113106.3848a1cb@davenulle.org> In-Reply-To: <20111009073910.GB92531@admin.sibptus.tomsk.ru> References: <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com> <20111008235238.GB3136@hs1.VERBENA> <CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru> <20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov <vas@mpeks.tomsk.su> a écrit : > > > I need no details, just a general hint how to setup such security > > > levels, preferably independent of actual IP addressses behind the > > > interfaces (a :network macro is not always sufficient). > > > > You may use urpf-failed instead :network > > urpf-failed: Any source address that fails a unicast reverse path > > forwarding (URPF) check, i.e. packets coming in on an interface > > other than that which holds the route back to the packet's source > > address. > > Excuse me, I do not see how this is relevant to my question (allowing > traffic to be initiated from a more secure interface to a less secure > interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. Regards.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20111009113106.3848a1cb>