On 11/21/2019 9:10 AM, Victor Sudakov wrote:
Dear Colleagues,
A quick question about pf from an ipfw user.
Suppose I have three interfaces: $outside, $inside and $dmz. If I want
to block any traffic from $dmz to $inside, unless it is
1. Return traffic from $inside to $dmz
2. ICMP traffic in any direction
would these rules be sufficient?
block in on $dmz
pass in on $dmz proto icmp
pass out on $inside
Assuming a default to deny with a narrow match criteria ( using in/out &
from/to ), you probably want something like the following ...
# default to deny
block log all
# pass icmp from dmz to inside
pass in log on $if_dmz proto icmpfrom $net_dmz to $net_inside
pass out log on $if_inside proto icmp from $net_dmz to $net_inside
# pass from inside to dmz
pass in log on $if_inside from $net_inside to $net_dmz
pass out log on $if_dmz from $net_inside to $net_dmz
Rules will keep state by default unless you disable ( w/ no keep state
), so return packets will pass ( icmp from inside to dmz | any from dmz
to inside ). You could broaden the match criteria by dropping the
from/to selectors.
-Matthew
_______________________________________________
freebsd-net@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-net
To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
