Re: need help with pf configuration
Matthew Seaman wrote: I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules. I guess the tagging feature can be useful. Thank you for the hint. If I come up with a working ruleset, I'll post it here. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Nikos Vassiliadis wrote: I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). What if you combine macros and lists? The ruleset below seems scalable to any number of interfaces. inside1 = em1 inside2 = em2 dmz = em0 insides = { $inside1:network $inside2:network } The problem is, there could be several routed networks behind the inside interfaces. Not all inside networks are directly connected, and the :network macro works only for directly connected interfaces, right? -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Mon, 10 Oct 2011 14:10:53 +0700, Victor Sudakov suda...@sibptus.tomsk.ru a écrit : The problem is, there could be several routed networks behind the inside interfaces. Not all inside networks are directly connected, and the :network macro works only for directly connected interfaces, right? Rigth, this is why I suggest urpf-failed instead. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Sun, 9 Oct 2011 12:15:54 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. something like block in quick on $inside1 from urpf-failed to any pass in quick on $inside1 I've not tested this. Regards ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. Regards. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
On 09/10/2011 10:31, Patrick Lamaiziere wrote: Le Sun, 9 Oct 2011 14:39:10 +0700, Victor Sudakov v...@mpeks.tomsk.su a écrit : I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). My reply was about the use of the interface:network addresses. pf has the concept of packet tagging. So you can write a small rule to tag traffic crossing eg. your set of internal interfaces and then write one ruleset to filter all that traffic identified by tag. Quoting pf.conf(5): This can be used, for example, to provide trust between interfaces and to determine if packets have been processed by translation rules. I think that's roughly equivalent to what the OP was asking about. Cheers, Matthew -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate JID: matt...@infracaninophile.co.uk Kent, CT11 9PW signature.asc Description: OpenPGP digital signature
Re: need help with pf configuration
On 10/9/2011 10:39 AM, Victor Sudakov wrote: Patrick Lamaiziere wrote: I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). What if you combine macros and lists? The ruleset below seems scalable to any number of interfaces. inside1 = em1 inside2 = em2 dmz = em0 insides = { $inside1:network $inside2:network } pass in on $dmz from $dmz:network to any block in on $dmz from any to $insides This expands nicely to: lab# pfctl -vf te inside1 = em1 inside2 = em2 dmz = em0 insides = { em1:network em2:network } pass in on em0 inet from 192.168.73.0/24 to any flags S/SA keep state block drop in on em0 inet from any to 10.0.0.0/29 block drop in on em0 inet from any to 192.168.56.0/24 HTH, Nikos ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: need help with pf configuration
Patrick Lamaiziere wrote: I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). You may use urpf-failed instead :network urpf-failed: Any source address that fails a unicast reverse path forwarding (URPF) check, i.e. packets coming in on an interface other than that which holds the route back to the packet's source address. Excuse me, I do not see how this is relevant to my question (allowing traffic to be initiated from a more secure interface to a less secure interface and not vice versa). Sorry, you can't do this with pf, ipf or ipfw (the 3 firewalls in FreeBSD). There is no concept of security level at all, you must specify on each interface the traffic allowed (in input and output). Actually you can with ipfw. The following concise ruleset should do it: check-state permit ip from any to any recv INSIDE xmit DMZ keep-state permit ip from any to any recv INSIDE xmit OUTSIDE keep-state permit ip from any to any recv DMZ xmit OUTSIDE keep-state -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
need help with pf configuration
Colleagues, I have a configuration with 2 inside interfaces, 1 outside and 1 dmz interface. The traffic should be able to flow 1) from inside1 to any (and back) 2) from inside2 to any (and back) 3) from dmz to outside only (and back). I need no details, just a general hint how to setup such security levels, preferably independent of actual IP addressses behind the interfaces (a :network macro is not always sufficient). It would be nice to find a configuration that would scale to any number of interfaces with different security levels. On a Cisco PIX I would configure outside security0 inside1 security100 inside2 security100 dmz security50 and that's it, the PIX logic would do the rest. Thank you very much in advance for any input. -- Victor Sudakov, VAS4-RIPE, VAS47-RIPN sip:suda...@sibptus.tomsk.ru ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org