Matthew Seaman wrote: > > > >>>> > > > I need no details, just a general hint how to setup such security > >>>> > > > levels, preferably independent of actual IP addressses behind the > >>>> > > > interfaces (a :network macro is not always sufficient). > >>> > > > >>> > > You may use urpf-failed instead :network > >>> > > urpf-failed: Any source address that fails a unicast reverse path > >>> > > forwarding (URPF) check, i.e. packets coming in on an interface > >>> > > other than that which holds the route back to the packet's source > >>> > > address. > >> > > >> > Excuse me, I do not see how this is relevant to my question (allowing > >> > traffic to be initiated from a more secure interface to a less secure > >> > interface and not vice versa). > > Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in > > FreeBSD). There is no concept of security level at all, you must specify > > on each interface the traffic allowed (in input and output). > > > > My reply was about the use of the interface:network addresses. > > pf has the concept of packet tagging. So you can write a small rule to > tag traffic crossing eg. your set of internal interfaces and then write > one ruleset to filter all that traffic identified by tag. > > Quoting pf.conf(5): "This can be used, for example, to > provide trust between interfaces and to determine if packets > have been processed by translation rules."
I guess the tagging feature can be useful. Thank you for the hint. If I come up with a working ruleset, I'll post it here. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru _______________________________________________ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to "freebsd-questions-unsubscr...@freebsd.org"