On Mon, May 7, 2018 at 10:40 AM, Martin Gignac <martin.gig...@gmail.com> wrote: > In Juniper SRXes and Netscreen firewalls one defines security policies > (firewall rules) according to a "from" security zone, and a "to" > security zone. Rules within each "from-to" combo can then focus on > allowing or blocking individual IP subnets if required. ...
> I am looking to define firewall policies on OpenBSD where I can > enforce something like "all traffic from lab01 to lab02 is allowed by > default, but all traffic from lab02 to to lab01 is denied by default". > In this case lab01 and lab02 are bound to different interfaces > (obviously), but behind each interface is another router to which are > attached a changing number of subnets, so I want to avoid having to > update subnet lists in my pf rules constantly. This situation would be > simple to deal with in Juniper/Netscreen or Linux, but I'm having a > hard time figuring out how to achieve a similar result in pf. I > thought about passing all traffic on ingress on the lab01 and lab02 > interfaces, tagging that traffic with a "from_lab0x" tag, and then > having outbound rules take action based on the relevant interface and > tag, like so: > > lab01 = em1 > lab02 = em2 > > set state-policy if-bound > > block > > pass in on $lab01 tag from_lab01 > pass in on $lab02 tag from_lab02 > > pass in on $lab02 tagged from_lab01 You could also replace the above with "pass in on $lab02 received-on $lab01". > block out on $lab01 tagged from_lab02 > > Does this look like it makes sense? Is using an 'if-bound' > state-policy ill-advised? Are there any obvious problems with this > method? If so, is there a better way to achieve my goal?
