On 09/10/2011 10:31, Patrick Lamaiziere wrote: > Le Sun, 9 Oct 2011 14:39:10 +0700, > Victor Sudakov <v...@mpeks.tomsk.su> a écrit : > >>>> > > > I need no details, just a general hint how to setup such security >>>> > > > levels, preferably independent of actual IP addressses behind the >>>> > > > interfaces (a :network macro is not always sufficient). >>> > > >>> > > You may use urpf-failed instead :network >>> > > urpf-failed: Any source address that fails a unicast reverse path >>> > > forwarding (URPF) check, i.e. packets coming in on an interface >>> > > other than that which holds the route back to the packet's source >>> > > address. >> > >> > Excuse me, I do not see how this is relevant to my question (allowing >> > traffic to be initiated from a more secure interface to a less secure >> > interface and not vice versa). > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in > FreeBSD). There is no concept of security level at all, you must specify > on each interface the traffic allowed (in input and output). > > My reply was about the use of the interface:network addresses.
pf has the concept of packet tagging. So you can write a small rule to
tag traffic crossing eg. your set of internal interfaces and then write
one ruleset to filter all that traffic identified by tag.
Quoting pf.conf(5): "This can be used, for example, to
provide trust between interfaces and to determine if packets
have been processed by translation rules."
I think that's roughly equivalent to what the OP was asking about.
Cheers,
Matthew
--
Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard
Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate
JID: matt...@infracaninophile.co.uk Kent, CT11 9PW
signature.asc
Description: OpenPGP digital signature
