View Single Post
Old 3rd November 2011
J65nko J65nko is offline
Administrator
 
Join Date: May 2008
Location: Budel - the Netherlands
Posts: 4,128
Default

You have now
Code:
#LAN OUT
pass in on $int from $int_net tag LAN
pass in on $int from $int_net to $dmz_net tag LAN_TO_DMZ
Please consider this little bit confusing snippet from the pf man page:
Code:
tag <string>
             Packets matching this rule will be tagged with the specified
             string.  The tag acts as an internal marker that can be used to
             identify these packets later on.  This can be used, for example,
             to provide trust between interfaces and to determine if packets
             have been processed by translation rules.  Tags are "sticky",
             meaning that the packet will be tagged even if the rule is not
             the last matching rule.  Further matching rules can replace the
             tag with a new one but will not remove a previously applied tag.
             A packet is only ever assigned one tag at a time.  Tags take the
             same macros as labels (see above).
If you ping a DMZ server from the internal net, pass in on $int from $int_net tag LAN it
be tagged with LAN. However, because you don't use quick, pf will keep evaluating the ping with the next rule pass in on $int from $int_net to $dmz_net tag LAN_TO_DMZ
You can check this with pfctl -vvsr and check the Evaluations counter.

Remember that packets entering on the internal interface all have the internal lan as origin. There are however two groups: packets with destination DMZ and packets for the Internet.
If pass in quick on $int from $int_net tag LAN would come first, the packets would never be evaluated to check whether they have the DMZ as destination.

So the solution is:

Code:
pass in quick on $int from $int_net to $dmz_net tag LAN_TO_DMZ
pass in quick on $int from $int_net tag LAN
__________________
You don't need to be a genius to debug a pf.conf firewall ruleset, you just need the guts to run tcpdump
Reply With Quote