List Info

Thread: RE: Re: PF rules for internal interface
RE: Re: PF rules for internal interface
country flaguser name
United States		 2008-03-26 08:31:57 

> -----Original Message-----
> From: owner-freebsd-pffreebsd.org
[mailto:owner-freebsd-
> pffreebsd.org] On Behalf Of Vitaliy Vladimirovich
> Sent: Wednesday, March 26, 2008 6:58 AM
> To: Jeremy Chadwick
> Cc: freebsd-pffreebsd.org
> Subject: Re[2]: PF rules for internal interface
> 
> --- Original Message --- From: Jeremy Chadwick To:
Vitaliy
> Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF
rules for
> internal interface > On Wed, Mar 26, 2008 at
10:51:52AM +0200, Vitaliy
> Vladimirovich wrote: > > Hello! I have problem
with restriction rules
> for my internal interface. > > ... > >
Please don't stick stuff like
> this all on one line. It's impossible to > read.
> > > This is my rules
> for $int_if: > > > > pass out quick on
$int_if > > block in on $int_if
> > > pass in on $int_if from $mynet to any >
> > > But in this situation
> computers from another subnets can ping my > >
internal interface. Were
> is my mistake? Thanks in advance. > > Are these
the ONLY RULES you have
> in your pf.conf? > > If not: you must remember
that the deny/block in
> "block in on $int_if" > may get overridden
later in the file, depending
> upon what rules past > that point are. This may be
what's happening,
> assuming later rules do > not specify an interface
(thus matching all
> interfaces). For
>  example, > if your rules are: > > pass out
quick on $int_if > block in
> on $int_if > pass in on $int_if from $mynet to any
> pass in from
> $othernet to any > > In this case, the
"block" will not happen when
> incoming packets from > $othernet arrive on $int_if.
> > I've two
> recommendations: > > 1) Consider using
"antispoof", if your concern is
> someone spoofing > packets across $int_if > >
2) Consider using these
> rules instead: > > pass in quick on $int_if from
$mynet to any > pass
> out quick on $int_if from $mynet to any > block in
quick on $int_if >
> {...other rules...} OK. Below my new rules within your
recommendations:
> int_if="sk0" mynet="10.0.100.0/16"
antispoof quick for { lo0 sk0 } pass
> in quick on $int_if from $mynet to any pass out quick
on $int_if from
> any to $mynet block in quick on $int_if But it is not
work. I can ping
> my server from another host not in mynet. What's
wrong??


Something is wrong with your formatting in your emails.
Newlines are
non-existant and your email is impossible to read. Please
re-format your
emails.


_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )