Date: Thu, 21 Nov 2019 18:49:22 +0100 From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@freebsd.org Subject: Re: pf, stateful filter and DMZ Message-ID: <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> References: <20191121151041.GA93735@admin.sibptus.ru>
next in thread | previous in thread | raw e-mail | index | archive | help
This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt Content-Type: multipart/mixed; boundary="MJwmGYcMuicYegV205teRV9YGxvXBmRyJ"; protected-headers="v1" From: Kajetan Staszkiewicz <vegeta@tuxpowered.net> To: freebsd-net@freebsd.org Message-ID: <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> Subject: Re: pf, stateful filter and DMZ References: <20191121151041.GA93735@admin.sibptus.ru> In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> --MJwmGYcMuicYegV205teRV9YGxvXBmRyJ Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 21.11.19 16:10, Victor Sudakov wrote: > Dear Colleagues, >=20 > A quick question about pf from an ipfw user. >=20 > Suppose I have three interfaces: $outside, $inside and $dmz. If I want > to block any traffic from $dmz to $inside, unless it is=20 >=20 > 1. Return traffic from $inside to $dmz pf is a stateful firewall and you can't really skip its statefullness. It will always allow return traffic if you allowed outgoint connection. > 2. ICMP traffic in any direction Sounds like a bad idea. Why would you do it? > would these rules be sufficient? >=20 > block in on $dmz > pass in on $dmz proto icmp > pass out on $inside >=20 For me this rather looks like you allow from $dmz to $inside but block from $dmz to $outside. Rules are not "quick" so the last one matching applies. However somebody else should verify this, I'm always only using quick rules so I'm not 100% sure. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --MJwmGYcMuicYegV205teRV9YGxvXBmRyJ-- --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXdbOIgAKCRDjtFCvbXs6 FHoqAJ4wBvTP5D0o6MC6w/arYiXmnq3AkQCfQUdqaWT2/3WdG7hiLj8C6PzVDv4= =eBPe -----END PGP SIGNATURE----- --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt--
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?59ac7be3-b79d-a13e-b64f-cd4dae43b9e4>