On 05/07/18 23:51, Martin Gignac wrote:
>> It looks like 'received-on' would be a cleaner and shorter way to
>> achieve my goal by allowing me to specify inbound and outbound
>> interfaces in the same rule.
>>
>
> I think I spoke to quickly; it would be an alternative way, but not a
> shorter one
On 05/07/18 18:40, Martin Gignac wrote:
> In an OpenBSD pf rule however, a rule only references a single
> interface and a direction (in, out).
This is not correct. It's perfectly valid and not unusual to have rules
like
pass from 10.2.3.0/24
(or 'pass to $somenet'). The default state-policy is
> It looks like 'received-on' would be a cleaner and shorter way to
> achieve my goal by allowing me to specify inbound and outbound
> interfaces in the same rule.
>
I think I spoke to quickly; it would be an alternative way, but not a
shorter one as I would still need the initial "pass in lab01"
> You could also replace the above with "pass in on $lab02 received-on $lab01".
Oh, I completely missed the 'received-on' statement in the OpenBSD
pf.conf man page! (I have to support a pfSense for the moment so I'm
alternating between the OpenBSD and FreeBSD man pages [the latter does
not support
> I imagine you meant "pass out on $lab02 tagged from_lab01".
You're absolutely right Ken!
Thanks,
-Martin
On Mon, May 7, 2018 at 11:51 AM, Daniel Melameth wrote:
> On Mon, May 7, 2018 at 10:40 AM, Martin Gignac
> wrote:
>> In Juniper SRXes and Netscreen firewalls one defines security policies
>> (firewall rules) according to a "from" security zone, and a "to"
>> security zone. Rules within each "fro
On Mon, May 7, 2018 at 10:40 AM, Martin Gignac wrote:
> In Juniper SRXes and Netscreen firewalls one defines security policies
> (firewall rules) according to a "from" security zone, and a "to"
> security zone. Rules within each "from-to" combo can then focus on
> allowing or blocking individual I
On Mon, May 7, 2018 at 12:40 PM, Martin Gignac wrote:
> set state-policy if-bound
>
> block
>
> pass in on $lab01 tag from_lab01
> pass in on $lab02 tag from_lab02
>
> pass in on $lab02 tagged from_lab01
> block out on $lab01 tagged from_lab02
>
> Does this look like it makes sense? Is
Hello,
In Juniper SRXes and Netscreen firewalls one defines security policies
(firewall rules) according to a "from" security zone, and a "to"
security zone. Rules within each "from-to" combo can then focus on
allowing or blocking individual IP subnets if required.
In Linux, the FORWARD chain is
9 matches
Mail list logo