On 2/25/06, Luke Eckley <[EMAIL PROTECTED]> wrote:
> All documentation I have seen about configuring pf on a bridge states
> to pass in/out all on one interface and filter in/out on the other.
>
> Why not just 'set skip on { lo, $bridge_int_1 }', then filter on
> $bridge_int_0?
Why not filter inbound on both, and pass all policy-based traffic out
unconditionally? That will keep your rules much cleaner.
Here's a quick example:
# Interface definitions
ext_if = "bge0"
int_if = "bge1"
# Server definitions
ssh_server = 172.16.30.30
smtp_server = 172.16.30.31
# Default deny
block drop log
# pass local traffic
pass quick on lo inet
# pass tagged traffic out
pass out quick inet tagged FILTERED modulate state
# filter rules for ext_if -> int_if
pass in on $ext_if inet proto tcp to $ssh_server port 22 flags S/SA
modulate state tag FILTERED
pass in on $ext_if inet proto tcp to $smtp_server port 25 flags S/SA
modulate state tag FILTERED
# filter rules for int_if -> ext_if
pass in on $int_if inet proto tcp to port {80,443} flags S/SA modulate
state tag FILTERED
pass in on $int_if inet proto {tcp,udp} to port 53 flags S/SA modulate
state tag FILTERED
pass in on $int_if inet proto tcp from $smtp_server to port 25 flags
S/SA modulate state tag FILTERED
Experimentation (in a non-production environment) will serve you well.
