Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
On 05/07/18 23:51, Martin Gignac wrote: >> It looks like 'received-on' would be a cleaner and shorter way to >> achieve my goal by allowing me to specify inbound and outbound >> interfaces in the same rule. >> > > I think I spoke to quickly; it would be an alternative way, but not a > shorter one as I would still need the initial "pass in lab01" I guess. I > just wouldn't have to tag it. > >> I usually do the filtering on the outbound interface and add a statement like the following the pass in all to be forwarded packets: pass in to !(self) This way you don't have to add different rules for different tags. martijn@
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
On 05/07/18 18:40, Martin Gignac wrote: > In an OpenBSD pf rule however, a rule only references a single > interface and a direction (in, out). This is not correct. It's perfectly valid and not unusual to have rules like pass from 10.2.3.0/24 (or 'pass to $somenet'). The default state-policy is 'floating' (as in not tied to an interface) but you can set it to be if-bound if you like. But for the use case you describe, tagging on ingress and filtering on tagged later is certainly a potentially useful approach. - Peter -- Peter N. M. Hansteen, member of the first RFC 1149 implementation team http://bsdly.blogspot.com/ http://www.bsdly.net/ http://www.nuug.no/ "Remember to set the evil bit on all malicious network traffic" delilah spamd[29949]: 85.152.224.147: disconnected after 42673 seconds.
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
> It looks like 'received-on' would be a cleaner and shorter way to > achieve my goal by allowing me to specify inbound and outbound > interfaces in the same rule. > I think I spoke to quickly; it would be an alternative way, but not a shorter one as I would still need the initial "pass in lab01" I guess. I just wouldn't have to tag it. >
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
> You could also replace the above with "pass in on $lab02 received-on $lab01". Oh, I completely missed the 'received-on' statement in the OpenBSD pf.conf man page! (I have to support a pfSense for the moment so I'm alternating between the OpenBSD and FreeBSD man pages [the latter does not support 'received-on']). It looks like 'received-on' would be a cleaner and shorter way to achieve my goal by allowing me to specify inbound and outbound interfaces in the same rule. Thanks! -Martin
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
> I imagine you meant "pass out on $lab02 tagged from_lab01". You're absolutely right Ken! Thanks, -Martin
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
On Mon, May 7, 2018 at 11:51 AM, Daniel Melamethwrote: > On Mon, May 7, 2018 at 10:40 AM, Martin Gignac > wrote: >> In Juniper SRXes and Netscreen firewalls one defines security policies >> (firewall rules) according to a "from" security zone, and a "to" >> security zone. Rules within each "from-to" combo can then focus on >> allowing or blocking individual IP subnets if required. > ... > >> I am looking to define firewall policies on OpenBSD where I can >> enforce something like "all traffic from lab01 to lab02 is allowed by >> default, but all traffic from lab02 to to lab01 is denied by default". >> In this case lab01 and lab02 are bound to different interfaces >> (obviously), but behind each interface is another router to which are >> attached a changing number of subnets, so I want to avoid having to >> update subnet lists in my pf rules constantly. This situation would be >> simple to deal with in Juniper/Netscreen or Linux, but I'm having a >> hard time figuring out how to achieve a similar result in pf. I >> thought about passing all traffic on ingress on the lab01 and lab02 >> interfaces, tagging that traffic with a "from_lab0x" tag, and then >> having outbound rules take action based on the relevant interface and >> tag, like so: >> >> lab01 = em1 >> lab02 = em2 >> >> set state-policy if-bound >> >> block >> >> pass in on $lab01 tag from_lab01 >> pass in on $lab02 tag from_lab02 >> >> pass in on $lab02 tagged from_lab01 > > You could also replace the above with "pass in on $lab02 received-on $lab01". I meant "pass out on $lab02 received-on $lab01". Obviously pass in wouldn't work in your example and mine. >> block out on $lab01 tagged from_lab02 >> >> Does this look like it makes sense? Is using an 'if-bound' >> state-policy ill-advised? Are there any obvious problems with this >> method? If so, is there a better way to achieve my goal?
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
On Mon, May 7, 2018 at 10:40 AM, Martin Gignacwrote: > In Juniper SRXes and Netscreen firewalls one defines security policies > (firewall rules) according to a "from" security zone, and a "to" > security zone. Rules within each "from-to" combo can then focus on > allowing or blocking individual IP subnets if required. ... > I am looking to define firewall policies on OpenBSD where I can > enforce something like "all traffic from lab01 to lab02 is allowed by > default, but all traffic from lab02 to to lab01 is denied by default". > In this case lab01 and lab02 are bound to different interfaces > (obviously), but behind each interface is another router to which are > attached a changing number of subnets, so I want to avoid having to > update subnet lists in my pf rules constantly. This situation would be > simple to deal with in Juniper/Netscreen or Linux, but I'm having a > hard time figuring out how to achieve a similar result in pf. I > thought about passing all traffic on ingress on the lab01 and lab02 > interfaces, tagging that traffic with a "from_lab0x" tag, and then > having outbound rules take action based on the relevant interface and > tag, like so: > > lab01 = em1 > lab02 = em2 > > set state-policy if-bound > > block > > pass in on $lab01 tag from_lab01 > pass in on $lab02 tag from_lab02 > > pass in on $lab02 tagged from_lab01 You could also replace the above with "pass in on $lab02 received-on $lab01". > block out on $lab01 tagged from_lab02 > > Does this look like it makes sense? Is using an 'if-bound' > state-policy ill-advised? Are there any obvious problems with this > method? If so, is there a better way to achieve my goal?
Re: How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
On Mon, May 7, 2018 at 12:40 PM, Martin Gignacwrote: > set state-policy if-bound > > block > > pass in on $lab01 tag from_lab01 > pass in on $lab02 tag from_lab02 > > pass in on $lab02 tagged from_lab01 > block out on $lab01 tagged from_lab02 > > Does this look like it makes sense? Is using an 'if-bound' > state-policy ill-advised? Are there any obvious problems with this > method? If so, is there a better way to achieve my goal? I imagine you meant "pass out on $lab02 tagged from_lab01". Yes, this makes sense and I don't see any reason you can't do it this way if you want to. It seems like a perfect use-case for tags. -ken
How to have pf filter packets on combination of incoming and outgoing interface (for packets transiting the firewall)?
Hello, In Juniper SRXes and Netscreen firewalls one defines security policies (firewall rules) according to a "from" security zone, and a "to" security zone. Rules within each "from-to" combo can then focus on allowing or blocking individual IP subnets if required. In Linux, the FORWARD chain is used for all traffic traversing the firewall and not destined for it. The firewall chain allows the administrator to filter based on incoming interface *and* outgoing interface. In an OpenBSD pf rule however, a rule only references a single interface and a direction (in, out). I am looking to define firewall policies on OpenBSD where I can enforce something like "all traffic from lab01 to lab02 is allowed by default, but all traffic from lab02 to to lab01 is denied by default". In this case lab01 and lab02 are bound to different interfaces (obviously), but behind each interface is another router to which are attached a changing number of subnets, so I want to avoid having to update subnet lists in my pf rules constantly. This situation would be simple to deal with in Juniper/Netscreen or Linux, but I'm having a hard time figuring out how to achieve a similar result in pf. I thought about passing all traffic on ingress on the lab01 and lab02 interfaces, tagging that traffic with a "from_lab0x" tag, and then having outbound rules take action based on the relevant interface and tag, like so: lab01 = em1 lab02 = em2 set state-policy if-bound block pass in on $lab01 tag from_lab01 pass in on $lab02 tag from_lab02 pass in on $lab02 tagged from_lab01 block out on $lab01 tagged from_lab02 Does this look like it makes sense? Is using an 'if-bound' state-policy ill-advised? Are there any obvious problems with this method? If so, is there a better way to achieve my goal? Thanks, -Martin