Re: pf and statesfull filtering on a bridge

[Tertou <TDeval@PrimeOBJ.COM>]

Hi Daniel,

On Thursday, October 4, 2001, at 05:29 PM, Daniel Hartmeier wrote:

> ...
> Here's an example:
>
>   # we want to filter on rl0, hence just pass anything on rl1.
>   pass in  quick on rl1 all
>   pass out quick on rl1 all
>
>   # as an example, we block eveything by default, and let pass only
>   # icmp echo requests related replies (both directions, statefully).
>   block in  on rl0 all
>   block out on rl0 all
>   pass in  on rl0 inet proto icmp all icmp-type echoreq keep state
>   pass out on rl0 inet proto icmp all icmp-type echoreq keep state
>
> This works equally well for more complex rules. The general recipe is
> to pick one interface you want to filter on. Start with two rules
> that let pass anything on the other interface (quick). After that,
> filter only on the interface you picked.

I wonder what would happen with 3 interfaces in the same bridge ?
How to allow certain traffic between 2 of the 3 interfaces and some 
other traffic between 2 other interfaces...

                    Internet
                       |
                       |
                  +----+----+
             +----+   FW    +----+
             |    +---------+    |
             |                   |
            DMZ               Intranet

e.g.
   HTTP   from Internet to DMZ
   HTTP   from Intranet to DMZ
   HTTP   from Intranet to Internet
   SQLNet from Intranet to DMZ

The answer lies probably with using a precise address filtering in the 
rules instead of 'all'...

I guess I'll have to try ;-)

T.