On 21.11.19 16:10, Victor Sudakov wrote: > Dear Colleagues, > > A quick question about pf from an ipfw user. > > Suppose I have three interfaces: $outside, $inside and $dmz. If I want > to block any traffic from $dmz to $inside, unless it is > > 1. Return traffic from $inside to $dmz
pf is a stateful firewall and you can't really skip its statefullness. It will always allow return traffic if you allowed outgoint connection. > 2. ICMP traffic in any direction Sounds like a bad idea. Why would you do it? > would these rules be sufficient? > > block in on $dmz > pass in on $dmz proto icmp > pass out on $inside > For me this rather looks like you allow from $dmz to $inside but block from $dmz to $outside. Rules are not "quick" so the last one matching applies. However somebody else should verify this, I'm always only using quick rules so I'm not 100% sure. -- | pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS | | Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net | | Vegeta | www: http://vegeta.tuxpowered.net | `------------------------^---------------------------------------'
signature.asc
Description: OpenPGP digital signature
