[Previous: Address Pools and Load Balancing] [Contents] [Next: Logging]
pass in on $int_if all tag INTERNAL_NET keep state
The tag INTERNAL_NET will be added to any packet which matches the above rule. Note the use of keep state; keep state (or modulate state/synproxy state) must be used in pass rules that tag packets.
Tagging follows these rules:
Take the following ruleset as an example.
(1) pass in on $int_if tag INT_NET keep state
(2) pass in quick on $int_if proto tcp to port 80 tag \
INT_NET_HTTP keep state
(3) pass in quick on $int_if from 192.168.1.5 keep state
In addition to applying tags with filter rules, the nat, rdr, and binat translation rules can also apply tags to packets by using the tag keyword.
pass out on $ext_if tagged INT_NET keep state
Outgoing packets on $ext_if must be tagged with the INT_NET tag in order to match the above rule. Inverse matching can also be done by using the ! operator:
pass out on $ext_if tagged ! WIFI_NET keep state
Note how the policy covers all traffic that will be passing through the firewall. The item in parenthesis indicates the tag that will be used for that policy item.
Filter and translation rules now need to be written to classify packets into the policy.
rdr on $ext_if proto tcp from <spamd> to port smtp \
tag SPAMD -> 127.0.0.1 port 8025
block all
pass in on $int_if from $int_net tag LAN_INET keep state
pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state
pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ keep state
Now the rules that define the policy are set.
pass in quick on $ext_if tagged SPAMD keep state
pass out quick on $ext_if tagged LAN_INET keep state
pass out quick on $dmz_if tagged LAN_DMZ keep state
pass out quick on $dmz_if tagged INET_DMZ keep state
Now that the whole ruleset is setup, changes are a matter of modifying the classification rules. For example, if a POP3/SMTP server is added to the DMZ, it will be necessary to add classification rules for POP3 and SMTP traffic, like so:
mail_server = "192.168.0.10"
...
pass in on $ext_if proto tcp to $mail_server port { smtp, pop3 } \
tag INET_DMZ keep state
Email traffic will now be passed as part of the INET_DMZ policy entry.
The complete ruleset:
# macros int_if = "dc0" dmz_if = "dc1" ext_if = "ep0" int_net = "10.0.0.0/24" dmz_net = "192.168.0.0/24" www_server = "192.168.0.5" mail_server = "192.168.0.10" table <spamd> persist file "/etc/spammers" # classification -- classify packets based on the defined firewall # policy. rdr on $ext_if proto tcp from <spamd> to port smtp \ tag SPAMD -> 127.0.0.1 port 8025 block all pass in on $int_if from $int_net tag LAN_INET keep state pass in on $int_if from $int_net to $dmz_net tag LAN_DMZ keep state pass in on $ext_if proto tcp to $www_server port 80 tag INET_DMZ keep state pass in on $ext_if proto tcp to $mail_server port { smtp, pop3 } \ tag INET_DMZ keep state # policy enforcement -- pass/block based on the defined firewall policy. pass in quick on $ext_if tagged SPAMD keep state pass out quick on $ext_if tagged LAN_INET keep state pass out quick on $dmz_if tagged LAN_DMZ keep state pass out quick on $dmz_if tagged INET_DMZ keep state |
# brconfig bridge0 rule pass in on fxp0 src 0:de:ad:be:ef:0 \
tag USER1
And then in pf.conf:
pass in on fxp0 tagged USER1
[Previous: Address Pools and Load Balancing] [Contents] [Next: Logging]