Re: PF Tables Issue

Christian Petro Tue, 15 Nov 2005 17:04:39 -0800

look below

Jon Hart wrote:
> On Tue, Nov 15, 2005 at 02:39:59PM -0800, Christian Petro wrote:
>
>>OpenBSD 3.6
>>
>>/etc/pf.conf
>>
>>When a table, and corresponding rule is defined using:
>>
>>table <LimitedAccess> persist { 192.168.1.16, 192.168.1.17 }
>>
>>block out quick on $ExtIf inet proto { tcp, udp } from <LimitedAccess>
>>to any port $OutIm
>>
>>OR EVEN
>>
>>block out quick on $ExtIf inet proto { icmp, udp, tcp } from
>><LimitedAccess> to any
>>
>>
>>The result is both IP addresses are allowed to pass through the firewall.
>>
>>
>>Can anyone comment?
>
>
> Yes.
>
> There can be many reasons that either of your rules will result in those
> two hosts being allowed through the firewall.
>
> What is the rest of the pf.conf?  Without that, I can only guess.
>
> -jon
>




set loginterface fxp1
set limit { states 90000, frags 90000 }
set optimization conservative
set block-policy drop
scrub in all


###############
# DEFINE MACROS
###############

# list of interfaces
LoIf="lo0"
IntIf="fxp0"
ExtIf="fxp1"

OutTcp=" some ports"
OutIcmp=" some types"
OutUdp=" some ports"
OutIm=" some ports"

table <AllAccess> persist { some ips }
table <LimitedAccess> persist { 192.168.1.16, 192.168.1.17 }

table <private> persist { some ips }

table <SitesAllowed> persist { some sites }

##################################
# RULES IN/OUT for lo0, fxp0, fxp1
##################################



# default policy
block in  log all
block out log all

# trusted interfaces
pass in  quick on $LoIf  all
pass out quick on $LoIf  all
pass in  quick on $IntIf all
pass out quick on $IntIf all

# anti-spoofing rool
block drop in quick on $ExtIf inet from <private> to any

# outbound traffic

pass out quick on $ExtIf inet proto icmp from <AllAccess> to anyicmp-type $OutIcmp keep state

pass out quick on $ExtIf inet proto udp from <AllAccess> to any port$OutUdp keep state


pass out quick on $ExtIf inet proto tcp from <AllAccess> to any keep state

block out quick on $ExtIf inet proto { tcp, udp } from <LimitedAccess>to any port $OutIm

pass out quick on $ExtIf inet proto tcp from <LimitedAccess> to<SitesAllowed> port $OutWeb keep state

block out on $ExtIf inet proto { icmp, udp, tcp } from <LimitedAccess>to any


#pass out on $ExtIf inet proto tcp from any to any port $OutTcp keep state

Re: PF Tables Issue

Reply via email to