Hello all, We are using VLAN-tagging to aggregate multiple subnets onto our firewall.
We don't trust all of the networks that we're filtering, so we want to explicitly forbid traffic from VLAN1 to VLAN0 unless there's a rule that allows it. Normally, we put our block in/out rules on the external interface ($ext_if) of the firewall. However, my understanding is with VLAN tagging trunking the separate VLANs onto the $int_if, traffic from one VLAN to another will never traverse $ext_if, and hence not get filtered with our classic setup. So, I'm trying to filter outbound traffic on $ext_if and incoming traffic on vlan0 and vlan1, using policy based filtering. Here's a simple example ruleset: # skip local loopback set skip on lo0 # skip internal interface (does not skip vlan0, etc) set skip on $int_if # block all in/out on ext_if, vlans block all #### Universal Rules (classifiers) #### # allow internal clients out to public web sites pass out proto tcp to any port { http https } tag ALLOWED_OUT \ keep state #### Rules for CAESDO (classifiers) #### # allow external clients into our web sites pass in proto tcp to $caesdo_web port { http https } tag DO_ALLOWED_IN \ keep state #### Policy Rules #### pass out on vlan0 tagged ALLOWED_OUT keep state pass in on vlan0 tagged DO_ALLOWED_IN keep state ... pass in on vlan1 tagged DEPT2_ALLOWED_IN keep state A couple of questions: 1) We tried this setup on our more complicated (300+ line ruleset), it doesn't work -- where are we making our logical errors? 2) If the classifying rule has "keep state" and the policy rule has "synproxy state", which one is actually applied? In production, pftop shows counts on both the classifying rule and the policy rule. 3) If flags S/SA is defined on the classifier, does it carry through the policy rule? Thanks for any advice! Adam -- "Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu