On Mon, May 7, 2018 at 11:51 AM, Daniel Melameth <dan...@melameth.com> wrote: > On Mon, May 7, 2018 at 10:40 AM, Martin Gignac <martin.gig...@gmail.com> > wrote: >> In Juniper SRXes and Netscreen firewalls one defines security policies >> (firewall rules) according to a "from" security zone, and a "to" >> security zone. Rules within each "from-to" combo can then focus on >> allowing or blocking individual IP subnets if required. > ... > >> I am looking to define firewall policies on OpenBSD where I can >> enforce something like "all traffic from lab01 to lab02 is allowed by >> default, but all traffic from lab02 to to lab01 is denied by default". >> In this case lab01 and lab02 are bound to different interfaces >> (obviously), but behind each interface is another router to which are >> attached a changing number of subnets, so I want to avoid having to >> update subnet lists in my pf rules constantly. This situation would be >> simple to deal with in Juniper/Netscreen or Linux, but I'm having a >> hard time figuring out how to achieve a similar result in pf. I >> thought about passing all traffic on ingress on the lab01 and lab02 >> interfaces, tagging that traffic with a "from_lab0x" tag, and then >> having outbound rules take action based on the relevant interface and >> tag, like so: >> >> lab01 = em1 >> lab02 = em2 >> >> set state-policy if-bound >> >> block >> >> pass in on $lab01 tag from_lab01 >> pass in on $lab02 tag from_lab02 >> >> pass in on $lab02 tagged from_lab01 > > You could also replace the above with "pass in on $lab02 received-on $lab01".
I meant "pass out on $lab02 received-on $lab01". Obviously pass in wouldn't work in your example and mine. >> block out on $lab01 tagged from_lab02 >> >> Does this look like it makes sense? Is using an 'if-bound' >> state-policy ill-advised? Are there any obvious problems with this >> method? If so, is there a better way to achieve my goal?
