Pf and limits on inbound from enc0

Pf and limits on inbound from enc0

Post by Steven Cardina » Fri, 19 Apr 2002 08:40:31



I'm using OBSD 3.0 with pf, nat and isakmpd

All works fine, but I'm tightening up my rules.

My default rules block in and out on all interfaces (internal, external and
dmz) I then proceed to open things up.

My problem comes from my vpn connections using enc0

I allow in from any to internal network on enc0:

Pass in quick on enc0 from any to $int_net keep state

 but I also need to allow those connections to pass out on my internal
interface.  I currently just allow from any - hoping that my external
interface rules are blocking all inbound - so any traffic would implicitly
be coming from enc0.

I hate leaving rules as implicit - since I have a number of sites, using
private ips, I'd rather not have to maintain a bunch of rules for each of
those sites' address ranges.  Is there any easier way to specify that things
going out the internal interface can only come from enc0?  Since enc0 is
virtual and has no ip, I can't do:

Pass out quick on $int_if from enc0 to $int_net keep state

So I currently have:

Pass out quick on $int_if from any to $int_net keep state

Thanks
Steve

 
 
 

Pf and limits on inbound from enc0

Post by roq » Fri, 03 May 2002 15:29:10


i'm having almost the same problem... i'm trying to block in and out on
my external, internal and dmz inter face and then open up only what is
needed.... but when i try to pass interal traffic out to the internet on
the external interface i can't... the rules i'm trying to use are;

block in log on fxp0 all block out log on fxp0 all

pass out quick on fxp0 inet proto tcp from 10.0.1.1/32 to any port 80,
443 keep state

but if i use the following line i can

pass out quick on fxp0 inet proto tcp from any to any port 80, 443
keep state

i've even tryed using my external interface ip instead of the
internal one

any ideal.

roq

--
Posted via dBforums
http://dbforums.com