Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 09 Oct 2011 14:44:13 +0300
From:      Nikos Vassiliadis <nvass@gmx.com>
To:        Victor Sudakov <vas@mpeks.tomsk.su>,  FreeBSD Questions <freebsd-questions@freebsd.org>
Subject:   Re: need help with pf configuration
Message-ID:  <4E91890D.7050105@gmx.com>
In-Reply-To: <20111009073910.GB92531@admin.sibptus.tomsk.ru>
References:  <CAEZdUGikPzsN=q-m_szHJCGxGT81UGA7Lbd7remTDdiqM5p3og@mail.gmail.com>	<20111008235238.GB3136@hs1.VERBENA>	<CAEZdUGiV_aXM67S4Yfw-i5tPZcwCWOiKPSFCPBOLkCfWjMmjeQ@mail.gmail.com>	<20111009015141.GA60380@hs1.VERBENA>	<20111009051554.GA91440@admin.sibptus.tomsk.ru>	<20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru>

next in thread | previous in thread | raw e-mail | index | archive | help
On 10/9/2011 10:39 AM, Victor Sudakov wrote:
> Patrick Lamaiziere wrote:
>>
>>> I have a configuration with 2 inside interfaces, 1 outside and 1 dmz
>>> interface. The traffic should be able to flow
>>>
>>> 1) from inside1 to any (and back)
>>> 2) from inside2 to any (and back)
>>> 3) from dmz to outside only (and back).
>>>
>>> I need no details, just a general hint how to setup such security
>>> levels, preferably independent of actual IP addressses behind the
>>> interfaces (a :network macro is not always sufficient).
>>
>> You may use urpf-failed instead :network
>> urpf-failed: Any source address that fails a unicast reverse path
>> forwarding (URPF) check, i.e. packets coming in on an interface other
>> than that which holds the route back to the packet's source address.
>
> Excuse me, I do not see how this is relevant to my question (allowing
> traffic to be initiated from a more secure interface to a less secure
> interface and not vice versa).
>

What if you combine macros and lists?
The ruleset below seems "scalable" to any number of interfaces.

inside1 = em1
inside2 = em2
dmz = em0
insides = "{" $inside1:network $inside2:network "}"

pass in on $dmz from $dmz:network to any
block in on $dmz from any to $insides

This expands nicely to:
lab# pfctl -vf te
inside1 = "em1"
inside2 = "em2"
dmz = "em0"
insides = "{ em1:network em2:network }"
pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state
block drop in on em0 inet from any to 10.0.0.0/29
block drop in on em0 inet from any to 192.168.56.0/24

HTH, Nikos



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?4E91890D.7050105>