From owner-freebsd-pf@FreeBSD.ORG Wed Mar 26 13:33:24 2008 Return-Path: Delivered-To: freebsd-pf@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id CBBF4106564A; Wed, 26 Mar 2008 13:33:24 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) Received: from ironport2-out.teksavvy.com (ironport2-out.teksavvy.com [206.248.154.182]) by mx1.freebsd.org (Postfix) with ESMTP id 84A728FC12; Wed, 26 Mar 2008 13:33:24 +0000 (UTC) (envelope-from kkutzko@teksavvy.com) X-IronPort-Anti-Spam-Filtered: true X-IronPort-Anti-Spam-Result: AuwEAKjt6UdMCqa7/2dsb2JhbACBWolQn1sE X-IronPort-AV: E=Sophos;i="4.25,558,1199682000"; d="scan'208";a="16851271" Received: from mail.pppoe.ca (HELO mail.teksavvy.com) ([65.39.192.132]) by ironport2-out.teksavvy.com with ESMTP; 26 Mar 2008 09:32:21 -0400 Received: from kevin ([76.10.166.187]) by mail.teksavvy.com (Internet Mail Server v1.0) with ASMTP id GQG41821; Wed, 26 Mar 2008 09:32:21 -0400 From: "Kevin K" To: "'Vitaliy Vladimirovich'" , "'Jeremy Chadwick'" References: <20080326100030.GA79074@eos.sc1.parodius.com> In-Reply-To: Date: Wed, 26 Mar 2008 09:31:57 -0400 Message-ID: <000801c88f45$c3d76dd0$4b864970$@com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit X-Mailer: Microsoft Office Outlook 12.0 Thread-Index: AciPMFqGbbYR4JUDSbewhov64jmXCgAFVNqA Content-Language: en-us Cc: freebsd-pf@freebsd.org Subject: RE: Re[2]: PF rules for internal interface X-BeenThere: freebsd-pf@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: "Technical discussion and general questions about packet filter \(pf\)" List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 26 Mar 2008 13:33:24 -0000 > -----Original Message----- > From: owner-freebsd-pf@freebsd.org [mailto:owner-freebsd- > pf@freebsd.org] On Behalf Of Vitaliy Vladimirovich > Sent: Wednesday, March 26, 2008 6:58 AM > To: Jeremy Chadwick > Cc: freebsd-pf@freebsd.org > Subject: Re[2]: PF rules for internal interface > > --- Original Message --- From: Jeremy Chadwick To: Vitaliy > Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF rules for > internal interface > On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy > Vladimirovich wrote: > > Hello! I have problem with restriction rules > for my internal interface. > > ... > > Please don't stick stuff like > this all on one line. It's impossible to > read. > > > This is my rules > for $int_if: > > > > pass out quick on $int_if > > block in on $int_if > > > pass in on $int_if from $mynet to any > > > > But in this situation > computers from another subnets can ping my > > internal interface. Were > is my mistake? Thanks in advance. > > Are these the ONLY RULES you have > in your pf.conf? > > If not: you must remember that the deny/block in > "block in on $int_if" > may get overridden later in the file, depending > upon what rules past > that point are. This may be what's happening, > assuming later rules do > not specify an interface (thus matching all > interfaces). For > example, > if your rules are: > > pass out quick on $int_if > block in > on $int_if > pass in on $int_if from $mynet to any > pass in from > $othernet to any > > In this case, the "block" will not happen when > incoming packets from > $othernet arrive on $int_if. > > I've two > recommendations: > > 1) Consider using "antispoof", if your concern is > someone spoofing > packets across $int_if > > 2) Consider using these > rules instead: > > pass in quick on $int_if from $mynet to any > pass > out quick on $int_if from $mynet to any > block in quick on $int_if > > {...other rules...} OK. Below my new rules within your recommendations: > int_if="sk0" mynet="10.0.100.0/16" antispoof quick for { lo0 sk0 } pass > in quick on $int_if from $mynet to any pass out quick on $int_if from > any to $mynet block in quick on $int_if But it is not work. I can ping > my server from another host not in mynet. What's wrong?? Something is wrong with your formatting in your emails. Newlines are non-existant and your email is impossible to read. Please re-format your emails.