List Info

Thread: Re: PF rules for internal interface
Re: PF rules for internal interface
country flaguser name
Norway		 2008-03-26 05:55:00 
--- Original Message --- From: Jeremy Chadwick To: Vitaliy
Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF rules
for internal interface > On Wed, Mar 26, 2008 at
10:51:52AM +0200, Vitaliy Vladimirovich wrote: > >
Hello! I have problem with restriction rules for my internal
interface. > > ... > > Please don't stick stuff
like this all on one line. It's impossible to > read.
> > > This is my rules for $int_if: > > >
> pass out quick on $int_if > > block in on $int_if
> > pass in on $int_if from $mynet to any > >
> > But in this situation computers from another
subnets can ping my > > internal interface. Were is my
mistake? Thanks in advance. > > Are these the ONLY
RULES you have in your pf.conf? No. This is rules for my
int_if only. I have ommited antispoof quick for { lo0 sk0 }.
sk0 - this is internal if. > > If not: you must
remember that the deny/block in "block in on
$int_if" > may get overridden later in the file,
depending upon what rules past > that point are. Thi
s may be what's happening, later rules do > not specify
an interface (thus matching all interfaces). For example,
> if your rules are: > > pass out quick on $int_if
> block in on $int_if > pass in on $int_if from $mynet
to any > pass in from $othernet to any > > In this
case, the "block" will not happen when incoming
packets from > $othernet arrive on $int_if. > >
I've two recommendations: > > 1) Consider using
"antispoof", if your concern is someone spoofing
> packets across $int_if > > 2) Consider using
these rules instead: > > pass in quick on $int_if from
$mynet to any > pass out quick on $int_if from $mynet to
any > block in quick on $int_if > {...other rules...}
OK. Below my new rules within your recommendations:
int_if="sk0" mynet="10.0.100.0/16"
antispoof quick for { lo0 sk0 } pass in quick on $int_if
from $mynet to any pass out quick on $int_if from any to
$mynet block in quick on $int_if But it is not work. I can
ping my server from another host not in mynet. What's
  wrong??
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )