From owner-freebsd-pf@FreeBSD.ORG Tue Aug 25 13:03:20 2009 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 5D19D1065705 for ; Tue, 25 Aug 2009 13:03:20 +0000 (UTC) (envelope-from mkhitrov@gmail.com) Received: from mail-yw0-f202.google.com (mail-yw0-f202.google.com [209.85.211.202]) by mx1.freebsd.org (Postfix) with ESMTP id 1C6E58FC22 for ; Tue, 25 Aug 2009 13:03:19 +0000 (UTC) Received: by ywh40 with SMTP id 40so4657422ywh.14 for ; Tue, 25 Aug 2009 06:03:19 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:received:from:date:message-id :subject:to:content-type:content-transfer-encoding; bh=ZjhVyyN8I0CkB0CT2a/b1NMwHenbb0qkvzommkBnjIQ=; b=kPm0EoNvmzMx+piQzqs5VeUDqku9X/s9zNmg8PRwsp6mjrMMiRz6Fbw7TQsg1g3abE aq/BTQN/Lrifc7velO9h/dg9dcqmr9zk0HP+FXPpfmlTPojprRUNsbd0sveZcp0DE+rc zg2JRBOGli7BSZVHYxOTGrm7NMAtZlpBGZV8I= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:from:date:message-id:subject:to:content-type :content-transfer-encoding; b=nZljVcaDBlvL67kqNRTNd+O0udJ5FFTDRVT7IgZtQJ1u4w53mJzaAOGQy78PZUkumk NNlQZWdDLpltbkRiAmt/UMO5iAJiR93cOxd5rQGKeZthFQeTDwYfVE4hVvjHm0YMd3g4 EUCXksUsRCgKXUQVFZqwSu0BQYafQg5W2iqQg= MIME-Version: 1.0 Received: by 10.101.10.13 with SMTP id n13mr5953631ani.88.1251203994457; Tue, 25 Aug 2009 05:39:54 -0700 (PDT) From: Maxim Khitrov Date: Tue, 25 Aug 2009 08:39:34 -0400 Message-ID: <26ddd1750908250539l79735cabg4ce99c4eb445f61c@mail.gmail.com> To: freebsd-pf@freebsd.org Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit Subject: Filtering on multi-interface firewall X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Aug 2009 13:03:20 -0000 Hello all, A quick question regarding the behavior of FreeBSD and pf when you have multiple local interfaces. In my case, I have a Soekris net5501 board with one interface being the uplink to ISP and the other three dedicated to separate networks. There should be no traffic passing from one network to the other and no one (except for a few admin IPs) should be able to connect to any firewall port, especially ssh. So to accomplish this, I have a default "block" rule followed by what traffic is allowed to pass. The following rule is used to permit internet traffic from one of the LANs: pass in quick on $int_if from ($int_if:network) to !($int_if) tag INET When this packet goes out on $ext_if, it is processed by a nat rule followed by another pass: nat on $ext_if tagged INET -> ($ext_if:0) pass out quick on $ext_if queue (def, pri) This part should work without problems (I say "should" because I don't have the ability to test all of this right now). But my question is about what happens if someone on $int_if network tries to connect to the IP assigned to $ext_if or one of the other two interfaces? It seems to me that this packet would be passed when coming in on $int_if, because the "!($int_if)" portion of the rule is satisfied. Once the packet makes it to the kernel, would the system then recognize that it is the final destination for that packet and let it go to whatever port was specified (ssh, for example)? What I'm looking for is a way to define a "pass in" rule, so long as the destination is guaranteed not to be the firewall itself, and I'm not sure if "!($int_if)" accounts for this other scenario. I know that I can create a table containing "self," but then the ruleset would need to be reloaded for every IP change. Is there some other way to specify "pass this packet in only if it isn't addressed to any local interface?" - Max