From owner-freebsd-questions@FreeBSD.ORG Sun Oct 9 11:45:57 2011 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 193B4106566B for ; Sun, 9 Oct 2011 11:45:57 +0000 (UTC) (envelope-from nvass@gmx.com) Received: from mailout-eu.gmx.com (mailout-eu.gmx.com [213.165.64.43]) by mx1.freebsd.org (Postfix) with SMTP id 7D1438FC16 for ; Sun, 9 Oct 2011 11:45:56 +0000 (UTC) Received: (qmail invoked by alias); 09 Oct 2011 11:44:19 -0000 Received: from sany-epe.ath.forthnet.gr (EHLO [192.168.1.4]) [193.92.253.30] by mail.gmx.com (mp-eu003) with SMTP; 09 Oct 2011 13:44:19 +0200 X-Authenticated: #46156728 X-Provags-ID: V01U2FsdGVkX1/bItg2Tgbbgg2cV+cyFyV00u6JfHjcdY/uzLk/Cj TMAO9czR0ObZDX Message-ID: <4E91890D.7050105@gmx.com> Date: Sun, 09 Oct 2011 14:44:13 +0300 From: Nikos Vassiliadis User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Thunderbird/3.1.10 MIME-Version: 1.0 To: Victor Sudakov , FreeBSD Questions References: <20111008235238.GB3136@hs1.VERBENA> <20111009015141.GA60380@hs1.VERBENA> <20111009051554.GA91440@admin.sibptus.tomsk.ru> <20111009083855.0e9879f6@davenulle.org> <20111009073910.GB92531@admin.sibptus.tomsk.ru> In-Reply-To: <20111009073910.GB92531@admin.sibptus.tomsk.ru> Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit X-Y-GMX-Trusted: 0 Cc: Subject: Re: need help with pf configuration X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 09 Oct 2011 11:45:57 -0000 On 10/9/2011 10:39 AM, Victor Sudakov wrote: > Patrick Lamaiziere wrote: >> >>> I have a configuration with 2 inside interfaces, 1 outside and 1 dmz >>> interface. The traffic should be able to flow >>> >>> 1) from inside1 to any (and back) >>> 2) from inside2 to any (and back) >>> 3) from dmz to outside only (and back). >>> >>> I need no details, just a general hint how to setup such security >>> levels, preferably independent of actual IP addressses behind the >>> interfaces (a :network macro is not always sufficient). >> >> You may use urpf-failed instead :network >> urpf-failed: Any source address that fails a unicast reverse path >> forwarding (URPF) check, i.e. packets coming in on an interface other >> than that which holds the route back to the packet's source address. > > Excuse me, I do not see how this is relevant to my question (allowing > traffic to be initiated from a more secure interface to a less secure > interface and not vice versa). > What if you combine macros and lists? The ruleset below seems "scalable" to any number of interfaces. inside1 = em1 inside2 = em2 dmz = em0 insides = "{" $inside1:network $inside2:network "}" pass in on $dmz from $dmz:network to any block in on $dmz from any to $insides This expands nicely to: lab# pfctl -vf te inside1 = "em1" inside2 = "em2" dmz = "em0" insides = "{ em1:network em2:network }" pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state block drop in on em0 inet from any to 10.0.0.0/29 block drop in on em0 inet from any to 192.168.56.0/24 HTH, Nikos