Hello all,
We are using VLAN-tagging to aggregate multiple subnets onto our firewall.
We don't trust all of the networks that we're filtering, so we want to
explicitly forbid traffic from VLAN1 to VLAN0 unless there's a rule
that allows it.
Normally, we put our block in/out rules on the external interface
($ext_if) of the firewall. However, my understanding is with VLAN
tagging trunking the separate VLANs onto the $int_if, traffic from one
VLAN to another will never traverse $ext_if, and hence not get
filtered with our classic setup.
So, I'm trying to filter outbound traffic on $ext_if and incoming
traffic on vlan0 and vlan1, using policy based filtering. Here's a
simple example ruleset:
# skip local loopback
set skip on lo0
# skip internal interface (does not skip vlan0, etc)
set skip on $int_if
# block all in/out on ext_if, vlans
block all
#### Universal Rules (classifiers) ####
# allow internal clients out to public web sites
pass out proto tcp to any port { http https } tag ALLOWED_OUT \
keep state
#### Rules for CAESDO (classifiers) ####
# allow external clients into our web sites
pass in proto tcp to $caesdo_web port { http https } tag DO_ALLOWED_IN \
keep state
#### Policy Rules ####
pass out on vlan0 tagged ALLOWED_OUT keep state
pass in on vlan0 tagged DO_ALLOWED_IN keep state
...
pass in on vlan1 tagged DEPT2_ALLOWED_IN keep state
A couple of questions:
1) We tried this setup on our more complicated (300+ line ruleset), it
doesn't work -- where are we making our logical errors?
2) If the classifying rule has "keep state" and the policy rule has
"synproxy state", which one is actually applied? In production, pftop
shows counts on both the classifying rule and the policy rule.
3) If flags S/SA is defined on the classifier, does it carry through
the policy rule?
Thanks for any advice!
Adam
--
"Invincibility is in oneself, vulnerability in the opponent." -- Sun Tzu
