On Wed, 03 Sep 2014 09:33:24 -0300, Giancarlo Razzolini
<grazzol...@gmail.com> wrote:
> On 03-09-2014 09:08, andy wrote:
>> The DMZ was just an example.. We can call it anything ;)
>>
>> I'm just trying to ask why this doesn't work;
>>
>> pass out quick on $if_ext tagged { T_LAN, T_DMZ } keep state
>>
>> It gets a PF syntax error? Why?
>>
>>
>> Thanks for your time, Andy.
> I replied before without access to a OpenBSD machine. Now I've checked
> the pf.conf man page (again). The BNF syntax for the tagged keyword
> expects a string for the tag name. You can't use a list { }. That's why
> you can't use that rule and pfctl will throw a syntax error. I will
> check the source code latter today to see if it's even feasible to do
> this. Perhaps some pf developer can weigh in.
>
> Now, your example probably wasn't the best one. Mixing internal network
> with dmz rules is not a good idea. You are prone to either blocking
> legitimate packets from the internal network or you can end up allowing
> things into your dmz that weren't supposed to get there.
>
> Cheers,
No I agree it wasn't the best example, but I have *many* internal
workstation VLANs that need access to an internal-only server VLAN (not a
DMZ, have a separate VLAN for that).
If we could use a list here, it would allow for the shortening of many
rules and also as mentioned, also simplify the rules when NATing is
involved.
Hopefully the devs can see the merit of my previous example :)
Cheers, Andy.
