On Wed, Mar 26, 2008 at 10:51:52AM +0200, Vitaliy
Vladimirovich wrote:
> Hello! I have problem with restriction rules for my
internal interface.
> ...
Please don't stick stuff like this all on one line. It's
impossible to
read.
> This is my rules for $int_if:
>
> pass out quick on $int_if
> block in on $int_if
> pass in on $int_if from $mynet to any
>
> But in this situation computers from another subnets
can ping my
> internal interface. Were is my mistake? Thanks in
advance.
Are these the ONLY RULES you have in your pf.conf?
If not: you must remember that the deny/block in "block
in on $int_if"
may get overridden later in the file, depending upon what
rules past
that point are. This may be what's happening, assuming
later rules do
not specify an interface (thus matching all interfaces).
For example,
if your rules are:
pass out quick on $int_if
block in on $int_if
pass in on $int_if from $mynet to any
pass in from $othernet to any
In this case, the "block" will not happen when
incoming packets from
$othernet arrive on $int_if.
I've two recommendations:
1) Consider using "antispoof", if your concern is
someone spoofing
packets across $int_if
2) Consider using these rules instead:
pass in quick on $int_if from $mynet to any
pass out quick on $int_if from $mynet to any
block in quick on $int_if
{...other rules...}
--
| Jeremy Chadwick jdc at
parodius.com |
| Parodius Networking http://www.parodius.com/
|
| UNIX Systems Administrator Mountain
View, CA, USA |
| Making life hard for others since 1977.
PGP: 4BD6C0CB |
_______________________________________________
freebsd-pf freebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
|
