pf, stateful filter and DMZ
Kajetan Staszkiewicz
vegeta at tuxpowered.net
Thu Nov 21 17:49:28 UTC 2019
On 21.11.19 16:10, Victor Sudakov wrote:
> Dear Colleagues,
>
> A quick question about pf from an ipfw user.
>
> Suppose I have three interfaces: $outside, $inside and $dmz. If I want
> to block any traffic from $dmz to $inside, unless it is
>
> 1. Return traffic from $inside to $dmz
pf is a stateful firewall and you can't really skip its statefullness.
It will always allow return traffic if you allowed outgoint connection.
> 2. ICMP traffic in any direction
Sounds like a bad idea. Why would you do it?
> would these rules be sufficient?
>
> block in on $dmz
> pass in on $dmz proto icmp
> pass out on $inside
>
For me this rather looks like you allow from $dmz to $inside but block
from $dmz to $outside. Rules are not "quick" so the last one matching
applies. However somebody else should verify this, I'm always only using
quick rules so I'm not 100% sure.
--
| pozdrawiam / greetings | powered by Debian, FreeBSD and CentOS |
| Kajetan Staszkiewicz | jabber,email: vegeta()tuxpowered net |
| Vegeta | www: http://vegeta.tuxpowered.net |
`------------------------^---------------------------------------'
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freebsd.org/pipermail/freebsd-net/attachments/20191121/6cfa64dc/attachment.sig>
More information about the freebsd-net
mailing list