Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On 05/07/18 23:51, Martin Gignac wrote: >> It looks like 'received-on' would be a cleaner and shorter way to >> achieve my goal by allowing me to specify inbound and outbound >> interfaces in the same rule. >> > > I think I spoke to quickly; it would be an alternative way, but not a > shorter one

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On 05/07/18 18:40, Martin Gignac wrote: > In an OpenBSD pf rule however, a rule only references a single > interface and a direction (in, out). This is not correct. It's perfectly valid and not unusual to have rules like pass from 10.2.3.0/24 (or 'pass to $somenet'). The default state-policy is

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> It looks like 'received-on' would be a cleaner and shorter way to > achieve my goal by allowing me to specify inbound and outbound > interfaces in the same rule. > I think I spoke to quickly; it would be an alternative way, but not a shorter one as I would still need the initial "pass in lab01"

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> You could also replace the above with "pass in on $lab02 received-on $lab01". Oh, I completely missed the 'received-on' statement in the OpenBSD pf.conf man page! (I have to support a pfSense for the moment so I'm alternating between the OpenBSD and FreeBSD man pages [the latter does not support

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

> I imagine you meant "pass out on $lab02 tagged from_lab01". You're absolutely right Ken! Thanks, -Martin

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On Mon, May 7, 2018 at 11:51 AM, Daniel Melameth wrote: > On Mon, May 7, 2018 at 10:40 AM, Martin Gignac > wrote: >> In Juniper SRXes and Netscreen firewalls one defines security policies >> (firewall rules) according to a "from" security zone, and a "to" >> security zone. Rules within each "fro

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On Mon, May 7, 2018 at 10:40 AM, Martin Gignac wrote: > In Juniper SRXes and Netscreen firewalls one defines security policies > (firewall rules) according to a "from" security zone, and a "to" > security zone. Rules within each "from-to" combo can then focus on > allowing or blocking individual I

Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

On Mon, May 7, 2018 at 12:40 PM, Martin Gignac wrote: > set state-policy if-bound > > block > > pass in on $lab01 tag from_lab01 > pass in on $lab02 tag from_lab02 > > pass in on $lab02 tagged from_lab01 > block out on $lab01 tagged from_lab02 > > Does this look like it makes sense? Is

How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?

Hello, In Juniper SRXes and Netscreen firewalls one defines security policies (firewall rules) according to a "from" security zone, and a "to" security zone. Rules within each "from-to" combo can then focus on allowing or blocking individual IP subnets if required. In Linux, the FORWARD chain is