Your packet flow looks like this:
IN
<nuser> ----> $wan_if (Packets from <nuser> enter on
$wan_if on port 1194/TCP =>
tag 'NORM')
IN
any ----> $tun_if (Packets from any can enter on
$tun_if on port {80,443}/TCP
_if_ they were tagged 'NORM'
before)
In this case packets that enter on $wan_if/$tun_if have
nothing to do with each other, hence PF handles them
separately. (first seen)
IN OUT
<nuser> ----> $wan_if ---> $tun_if
(Packets entering on $wan_if on port 1194/TCP get tagged
'NORM' and can leave on $tun_if to port { 80, 443 }/TCP
_if_ they were tagged 'NORM' before)
Now PF knows about the relationship between $wan_if
and $tun_if.
-Mark
On Fri, Nov 11, 2005 at 03:37:57PM +0100, Wild Karl-Heinz wrote:
> In message "pf tagging and matching over more than one interface ..."
> on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:
>
> Df> you only tag the package to port 1194 in both case and you are allowing
> only
> Df> tagged packaged to ports 22, 80, 443
>
> Port 1194 on wan_if is handled by openvpn.
> Then the data will be redirected to the
> tun interface and there I'll filtering the
> traffic.
>
> Sorry, I did't explain enough.
>
> Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
> >>
> >> I try to tag a connection on the wan_if and
> >> accordingly on the tag I'll restrict the
> >> access on an other interface like.
> >>
> >> an example ...
> >>
> >> pass in quick on wan_if proto tcp from <nuser> to port 1194 tag NORM
> >> keep state
> >> pass in quick on wan_if proto tcp from <puser> to port 1194 tag POWER
> >> keep state
> >>
> >> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> >> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
> >>
> >> ...
> >>
> >> but I don't know why. It doesn't work.
> >> I thought that works.
> >>
> >> I ask for advice.
> >> Thanks
> >>
> >> Karl-Heinz
>
--
Mark Patruck - Security Consultant
patruck consulting
http://www.patruck-consulting.de
