Re: pf tagging and matching over more than one interface ...
Your packet flow looks like this:
IN
> $wan_if (Packets from enter on
$wan_if on port 1194/TCP =>
tag 'NORM')
IN
any > $tun_if (Packets from any can enter on
$tun_if on port {80,443}/TCP
_if_ they were tagged 'NORM'
before)
In this case packets that enter on $wan_if/$tun_if have
nothing to do with each other, hence PF handles them
separately. (first seen)
IN OUT
> $wan_if ---> $tun_if
(Packets entering on $wan_if on port 1194/TCP get tagged
'NORM' and can leave on $tun_if to port { 80, 443 }/TCP
_if_ they were tagged 'NORM' before)
Now PF knows about the relationship between $wan_if
and $tun_if.
-Mark
On Fri, Nov 11, 2005 at 03:37:57PM +0100, Wild Karl-Heinz wrote:
> In message "pf tagging and matching over more than one interface ..."
>on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:
>
> Df> you only tag the package to port 1194 in both case and you are allowing
> only
> Df> tagged packaged to ports 22, 80, 443
>
> Port 1194 on wan_if is handled by openvpn.
> Then the data will be redirected to the
> tun interface and there I'll filtering the
> traffic.
>
> Sorry, I did't explain enough.
>
> Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
> >>
> >> I try to tag a connection on the wan_if and
> >> accordingly on the tag I'll restrict the
> >> access on an other interface like.
> >>
> >> an example ...
> >>
> >> pass in quick on wan_if proto tcp from to port 1194 tag NORM
> >> keep state
> >> pass in quick on wan_if proto tcp from to port 1194 tag POWER
> >> keep state
> >>
> >> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> >> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
> >>
> >> ...
> >>
> >> but I don't know why. It doesn't work.
> >> I thought that works.
> >>
> >> I ask for advice.
> >> Thanks
> >>
> >> Karl-Heinz
>
--
Mark Patruck - Security Consultant
patruck consulting
http://www.patruck-consulting.de
Re: pf tagging and matching over more than one interface ...
In message "pf tagging and matching over more than one interface ..."
on 11.11.2005, David fire <[EMAIL PROTECTED]> writes:
Df> you only tag the package to port 1194 in both case and you are allowing only
Df> tagged packaged to ports 22, 80, 443
Port 1194 on wan_if is handled by openvpn.
Then the data will be redirected to the
tun interface and there I'll filtering the
traffic.
Sorry, I did't explain enough.
Df> 2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>>
>> I try to tag a connection on the wan_if and
>> accordingly on the tag I'll restrict the
>> access on an other interface like.
>>
>> an example ...
>>
>> pass in quick on wan_if proto tcp from to port 1194 tag NORM
>> keep state
>> pass in quick on wan_if proto tcp from to port 1194 tag POWER
>> keep state
>>
>> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
>> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
>>
>> ...
>>
>> but I don't know why. It doesn't work.
>> I thought that works.
>>
>> I ask for advice.
>> Thanks
>>
>> Karl-Heinz
Re: pf tagging and matching over more than one interface ...
hi
you only tag the package to port 1194 in both case and you are allowing only
tagged packaged to ports 22, 80, 443
David
2005/11/11, Karl-Heinz Wild <[EMAIL PROTECTED]>:
>
> I try to tag a connection on the wan_if and
> accordingly on the tag I'll restrict the
> access on an other interface like.
>
> an example ...
>
> pass in quick on wan_if proto tcp from to port 1194 tag NORM
> keep state
> pass in quick on wan_if proto tcp from to port 1194 tag POWER
> keep state
>
> pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
> pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
>
> ...
>
> but I don't know why. It doesn't work.
> I thought that works.
>
> I ask for advice.
> Thanks
>
> Karl-Heinz
pf tagging and matching over more than one interface ...
I try to tag a connection on the wan_if and
accordingly on the tag I'll restrict the
access on an other interface like.
an example ...
pass in quick on wan_if proto tcp from to port 1194 tag NORM
keep state
pass in quick on wan_if proto tcp from to port 1194 tag POWER
keep state
pass in quick on tun_if to port { 80, 443 } tagged NORM keep state
pass in quick on tun_if to port { 22, 80, 443 } tagged POWER keep state
...
but I don't know why. It doesn't work.
I thought that works.
I ask for advice.
Thanks
Karl-Heinz
