List Info

Thread: Re: PF rules for internal interface
Re: PF rules for internal interface
country flaguser name
Norway		 2008-03-26 05:58:16 
--- Original Message --- From: Jeremy Chadwick To: Vitaliy
Vladimirovich Date: 26 march, 12:00:30 Subject: Re: PF rules
for internal interface > On Wed, Mar 26, 2008 at
10:51:52AM +0200, Vitaliy Vladimirovich wrote: > >
Hello! I have problem with restriction rules for my internal
interface. > > ... > > Please don't stick stuff
like this all on one line. It's impossible to > read.
> > > This is my rules for $int_if: > > >
> pass out quick on $int_if > > block in on $int_if
> > pass in on $int_if from $mynet to any > >
> > But in this situation computers from another
subnets can ping my > > internal interface. Were is my
mistake? Thanks in advance. > > Are these the ONLY
RULES you have in your pf.conf? > > If not: you must
remember that the deny/block in "block in on
$int_if" > may get overridden later in the file,
depending upon what rules past > that point are. This may
be what's happening, assuming later rules do > not
specify an interface (thus matching all interfaces). For
 example, > if your rules are: > > pass out quick
on $int_if > block in on $int_if > pass in on $int_if
from $mynet to any > pass in from $othernet to any >
> In this case, the "block" will not happen
when incoming packets from > $othernet arrive on $int_if.
> > I've two recommendations: > > 1) Consider
using "antispoof", if your concern is someone
spoofing > packets across $int_if > > 2) Consider
using these rules instead: > > pass in quick on
$int_if from $mynet to any > pass out quick on $int_if
from $mynet to any > block in quick on $int_if >
{...other rules...} OK. Below my new rules within your
recommendations: int_if="sk0"
mynet="10.0.100.0/16" antispoof quick for { lo0
sk0 } pass in quick on $int_if from $mynet to any pass out
quick on $int_if from any to $mynet block in quick on
$int_if But it is not work. I can ping my server from
another host not in mynet. What's wrong??
_______________________________________________
freebsd-pffreebsd.org mailing list

http://lists.freebsd.org/mailman/listinfo/freebsd-pf
To unsubscribe, send any mail to
"freebsd-pf-unsubscribefreebsd.org"
[1]

about | contact  Other archives ( Real Estate discussion Medical topics )