From owner-freebsd-pf@FreeBSD.ORG Wed Mar 26 10:55:03 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 3713F1065670 for ; Wed, 26 Mar 2008 10:55:03 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from ffe7.ukr.net (ffe7.ukr.net [195.214.192.26]) by mx1.freebsd.org (Postfix) with ESMTP id E34998FC16 for ; Wed, 26 Mar 2008 10:55:02 +0000 (UTC) (envelope-from artemrts@ukr.net) Received: from mail by ffe7.ukr.net with local ID 1JeTHY-000IRm-OH ; Wed, 26 Mar 2008 12:55:00 +0200 MIME-Version: 1.0 To: Jeremy Chadwick From: "Vitaliy Vladimirovich" X-Life: is great, enjoy it! X-Mailer: freemail.ukr.net mPOP 3.4.1 X-Originating-Ip: [194.0.148.10] In-Reply-To: <20080326100030.GA79074@eos.sc1.parodius.com> X-Browser: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-GB; rv:1.8.1.12) Gecko/20080201 Firefox/2.0.0.12 Message-Id: Date: Wed, 26 Mar 2008 12:55:00 +0200 Content-Type: text/plain; charset="windows-1251" Content-Transfer-Encoding: 8bit Content-Disposition: inline X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-pf@freebsd.org Subject: Re[2]: PF rules for internal interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 10:55:03 -0000 --- Original Message --- From: Jeremy Chadwick To: Vitaliy Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF rules for internal interface > On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy Vladimirovich wrote: > > Hello! I have problem with restriction rules for my internal interface. > > ... > > Please don't stick stuff like this all on one line. It's impossible to > read. > > > This is my rules for $int_if: > > > > pass out quick on $int_if > > block in on $int_if > > pass in on $int_if from $mynet to any > > > > But in this situation computers from another subnets can ping my > > internal interface. Were is my mistake? Thanks in advance. > > Are these the ONLY RULES you have in your pf.conf? No. This is rules for my int_if only. I have ommited antispoof quick for { lo0 sk0 }. sk0 - this is internal if. > > If not: you must remember that the deny/block in "block in on $int_if" > may get overridden later in the file, depending upon what rules past > that point are. Thi s may be what's happening, later rules do > not specify an interface (thus matching all interfaces). For example, > if your rules are: > > pass out quick on $int_if > block in on $int_if > pass in on $int_if from $mynet to any > pass in from $othernet to any > > In this case, the "block" will not happen when incoming packets from > $othernet arrive on $int_if. > > I've two recommendations: > > 1) Consider using "antispoof", if your concern is someone spoofing > packets across $int_if > > 2) Consider using these rules instead: > > pass in quick on $int_if from $mynet to any > pass out quick on $int_if from $mynet to any > block in quick on $int_if > {...other rules...} OK. Below my new rules within your recommendations: int_if="sk0" mynet="10.0.100.0/16" antispoof quick for { lo0 sk0 } pass in quick on $int_if from $mynet to any pass out quick on $int_if from any to $mynet block in quick on $int_if But it is not work. I can ping my server from another host not in mynet. What's wrong??