Patrick Lamaiziere wrote: > > > > > I need no details, just a general hint how to setup such security > > > > levels, preferably independent of actual IP addressses behind the > > > > interfaces (a :network macro is not always sufficient). > > > > > > You may use urpf-failed instead :network > > > urpf-failed: Any source address that fails a unicast reverse path > > > forwarding (URPF) check, i.e. packets coming in on an interface > > > other than that which holds the route back to the packet's source > > > address. > > > > Excuse me, I do not see how this is relevant to my question (allowing > > traffic to be initiated from a more secure interface to a less secure > > interface and not vice versa). > > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in > FreeBSD). There is no concept of security level at all, you must specify > on each interface the traffic allowed (in input and output).
Actually you can with ipfw. The following concise ruleset should do it: check-state permit ip from any to any recv INSIDE xmit DMZ keep-state permit ip from any to any recv INSIDE xmit OUTSIDE keep-state permit ip from any to any recv DMZ xmit OUTSIDE keep-state -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"
