From owner-freebsd-net@freebsd.org Thu Nov 21 17:49:28 2019 Return-Path: Delivered-To: freebsd-net@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 701411C62D6 for ; Thu, 21 Nov 2019 17:49:28 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: from mail-ed1-x544.google.com (mail-ed1-x544.google.com [IPv6:2a00:1450:4864:20::544]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "smtp.gmail.com", Issuer "GTS CA 1O1" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 47JnBH4YyYz3DDZ for ; Thu, 21 Nov 2019 17:49:27 +0000 (UTC) (envelope-from vegeta@tuxpowered.net) Received: by mail-ed1-x544.google.com with SMTP id k14so3558792eds.4 for ; Thu, 21 Nov 2019 09:49:27 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tuxpowered-net.20150623.gappssmtp.com; s=20150623; h=subject:to:references:from:openpgp:autocrypt:message-id:date :user-agent:mime-version:in-reply-to; bh=KUrmYyHSW6lFMwwFIFUewkKwz2SD0UJumS5fivT5e+k=; b=pZiVj+04QkP6zil+PZ7BikJifEQpUvlrBLl6/0ZF+xgTPRWucDrJ38oPGTbm2LOD3k EZlPd8fQ7LJh60zIMgC9bgHQeL0ts5GlzUB9CZXGVJ6a/vJkISpsWfU0wo+n/HqK14K3 zPDQyZbuMkp6QDM4yqNH2h8GgLVRoW3wIrtPuTwngliz5iSjh9YlOOI+s9ClSmSNH3to OG7lZLn/o62z7mE95CPBypmonEpoqjcEoZqOVVZIBgax9MAfeq/C+fSD4YJ6SxEY+FOd zefg3FD1tDoxpA3bYZUYziiZY1+o8XBENjRyWdhkw1tdE2USQ/ilgI8LRoHtV9cWPwpe no8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:openpgp:autocrypt :message-id:date:user-agent:mime-version:in-reply-to; bh=KUrmYyHSW6lFMwwFIFUewkKwz2SD0UJumS5fivT5e+k=; b=H4BC2uFm/0WD5swiRbzcmq3heNS8fk2WmnNNLKtNoWxym5AGdFfHSkzLXh7y2EJSN/ n8QlStzuusi57PpogPlO0MBMjA9XZey52l/D7g7QuEujBExFKrl9zAql5HLRlWVOXRmr XctLdq3OMgT0eZk219ERz+nAl3c/3VeLmtd/6yOSfWCgXc7nVBtTnUxBj6+qsNsV2AOA WHEE2jmtV0BwrA/CjR+f176IC/P/FaJTvIqE8RvZ/eTQtR3xv1RJoDvYr1gytIorQOxy K0K/UmXCd/fNWI21oTzyNOYxdnS9ALCcTChSnqKuWmgn0OkiDdPZppNUYqbe0yn+8AzQ 1oxA== X-Gm-Message-State: APjAAAWbgXrAdbjaVqpivm4LKQJkFZFenaUNFZoKzC9uluI+GNnWX9K8 7b9IhebzFM6JNRvjmWxNLnzAgD5nfAw= X-Google-Smtp-Source: APXvYqwdi4d+2b62Elka/z30ijY/UEpVXJVqyg4q5Eds343Z0u2cwv5rKNnFKGIWpx9JcVij1tUIyA== X-Received: by 2002:a17:906:c44f:: with SMTP id ck15mr15216822ejb.7.1574358564431; Thu, 21 Nov 2019 09:49:24 -0800 (PST) Received: from Proton.local ([2a00:1f78:fffb:1000:50b1:385e:47d4:bb5f]) by smtp.gmail.com with ESMTPSA id d18sm128381edy.79.2019.11.21.09.49.23 for (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 21 Nov 2019 09:49:23 -0800 (PST) Subject: Re: pf, stateful filter and DMZ To: freebsd-net@freebsd.org References: <20191121151041.GA93735@admin.sibptus.ru> From: Kajetan Staszkiewicz Openpgp: preference=signencrypt Autocrypt: addr=vegeta@tuxpowered.net; keydata= mQGiBELvVycRBADVGZM8mHAsH+R87EBg4O+QTOkL0TjroqamohMlCdBEZgFGcGVoKA9c9Az6 e7xpk90DuaWYrzBKJ+I5drx2ddqdqejLhgNm3QZubE8Cf9cCxBAxnxBZHzmmgVJMOg93lJUQ e9L1BstntodE2xz4jSBB++Zh9eZgRqbn/EICcQmmKwCg9pQfnXRAMr4tFxhsFenxa/JCvFME AK/03irNfB8DezORCfpt7lZuwL5oRJ/TvpoCfwgVkNd6gTLMgSQpKbFytLzAAmRsE+EwVpBo sUzKt4vzmW4bllgPao14TyuVcViah27/da3fHm1HIMkjvro/ONtUivInn+5L33S0meT3KyuK ofwc1A6KucNxhv4rG7RsXuhwZZmQA/0QVni2wq7yc6t15dfCxuDCxG7yXp4pE5Dghp/MMwts leIxJ3JdHaTZ9aIrYT2Rxw8mTXUs89pDi7PCqXA2N4C+RvkoZI0Q6cWs6jHNZGiZRVzkw38r 8ctqtAlcfzlAynX5+Ym9oiNMJ/c/4fAiFrWerMR1rFWDSD56ltQHk0X0oLQsS2FqZXRhbiBT dGFzemtpZXdpY3ogPHZlZ2V0YUB0dXhwb3dlcmVkLm5ldD6IewQTEQIAOwYLCQgHAwIDFQID AxYCAQIeAQIXgAIZARYhBI4RBk5u/YHyZ/QlueO0UK9tezoUBQJcD656BQkbAXUJAAoJEOO0 UK9tezoUnsIAoK89eXWiO7x3gkfC+5mDXNnRx6ioAKCy4NE/0s8vTDA/P3yYJ2r6orDDNLkB DQRC71cpEAQAjXEOKfj9O4eYTWcifEApMYzel9+aWmhNRqqUhJuNO40UDF73biRJ0cjd8miV hZGxcqIdjnZUmxn8Okr+ta7ZU4Q2KNw7B23VKd1jzDKalaUGtCbv8pnvFdBCJwwzdhHJ2vxr e7zkGMrU4x5Od/92YZRCgX229Ic8y7muveQty4sAAwYD/A/FKDQkIu16GVOu9g8ZBLLBi1HS h2eiem/efmfZS1APR7Q5Ouf6KJMeEgBCKY9yqEp9wg97Bt93oi3zP0H1I8rLmrj5hoEE/VEj Cc4XSQ3qrthmQ9bE8fPDZIgodPG1h+dlOzDQoUxKM/YZdbKmV8VkegbAmEng9rJk90gJ+7Qt iGMEGBEIACMWIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXDcogwUJGzo2agAKCRDjtFCvbXs6 FNsqAJ9naj/37JF2c1HjhO/4xosKOtGX/QCgn5ADg8fykMSnWmIR0GO/xq9LEzs= Message-ID: <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> Date: Thu, 21 Nov 2019 18:49:22 +0100 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:60.0) Gecko/20100101 Thunderbird/60.9.1 MIME-Version: 1.0 In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt" X-Rspamd-Queue-Id: 47JnBH4YyYz3DDZ X-Spamd-Bar: ----- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=tuxpowered-net.20150623.gappssmtp.com header.s=20150623 header.b=pZiVj+04; dmarc=none; spf=pass (mx1.freebsd.org: domain of vegeta@tuxpowered.net designates 2a00:1450:4864:20::544 as permitted sender) smtp.mailfrom=vegeta@tuxpowered.net X-Spamd-Result: default: False [-5.55 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[tuxpowered-net.20150623.gappssmtp.com:s=20150623]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+ip6:2a00:1450:4000::/36]; TO_MATCH_ENVRCPT_ALL(0.00)[]; HAS_ATTACHMENT(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-net@freebsd.org]; TO_DN_NONE(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,multipart/mixed,text/plain]; RCPT_COUNT_ONE(0.00)[1]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCVD_COUNT_THREE(0.00)[3]; DMARC_NA(0.00)[tuxpowered.net]; DKIM_TRACE(0.00)[tuxpowered-net.20150623.gappssmtp.com:+]; RCVD_IN_DNSWL_NONE(0.00)[4.4.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.2.0.0.4.6.8.4.0.5.4.1.0.0.a.2.list.dnswl.org : 127.0.5.0]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:+,3:~]; IP_SCORE(-0.95)[ip: (-0.04), ipnet: 2a00:1450::/32(-2.71), asn: 15169(-1.97), country: US(-0.05)]; ASN(0.00)[asn:15169, ipnet:2a00:1450::/32, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RCVD_TLS_ALL(0.00)[] X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 21 Nov 2019 17:49:28 -0000 This is an OpenPGP/MIME signed message (RFC 4880 and 3156) --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt Content-Type: multipart/mixed; boundary="MJwmGYcMuicYegV205teRV9YGxvXBmRyJ"; protected-headers="v1" From: Kajetan Staszkiewicz To: freebsd-net@freebsd.org Message-ID: <59ac7be3-b79d-a13e-b64f-cd4dae43b9e4@tuxpowered.net> Subject: Re: pf, stateful filter and DMZ References: <20191121151041.GA93735@admin.sibptus.ru> In-Reply-To: <20191121151041.GA93735@admin.sibptus.ru> --MJwmGYcMuicYegV205teRV9YGxvXBmRyJ Content-Type: text/plain; charset=windows-1252 Content-Language: en-GB Content-Transfer-Encoding: quoted-printable On 21.11.19 16:10, Victor Sudakov wrote: > Dear Colleagues, >=20 > A quick question about pf from an ipfw user. >=20 > Suppose I have three interfaces: $outside, $inside and $dmz. If I want > to block any traffic from $dmz to $inside, unless it is=20 >=20 > 1. Return traffic from $inside to $dmz pf is a stateful firewall and you can't really skip its statefullness. It will always allow return traffic if you allowed outgoint connection. > 2. ICMP traffic in any direction Sounds like a bad idea. Why would you do it? > would these rules be sufficient? >=20 > block in on $dmz > pass in on $dmz proto icmp > pass out on $inside >=20 For me this rather looks like you allow from $dmz to $inside but block from $dmz to $outside. Rules are not "quick" so the last one matching applies. However somebody else should verify this, I'm always only using quick rules so I'm not 100% sure. --=20 | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------' --MJwmGYcMuicYegV205teRV9YGxvXBmRyJ-- --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- iF0EARECAB0WIQSOEQZObv2B8mf0JbnjtFCvbXs6FAUCXdbOIgAKCRDjtFCvbXs6 FHoqAJ4wBvTP5D0o6MC6w/arYiXmnq3AkQCfQUdqaWT2/3WdG7hiLj8C6PzVDv4= =eBPe -----END PGP SIGNATURE----- --EAjuuvwHeV88g1DIYEruuXx5RLhcGQIKt--