Attachment 206498 Details for Bug 239749 – PF ruleset using modulate state

PF ruleset using modulate state

modulate.pf.conf (text/plain), 1001 bytes, created by Niclas Zeising on 2019-08-13 18:44:43 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Niclas Zeising

Created: 2019-08-13 18:44:43 UTC

Size: 1001 bytes

patch

obsolete

>ext_vlan="vlan1000"
>int_vlan="vlan2000"
>
>set skip on lo0
>set debug urgent
>set block-policy drop
>set loginterface $ext_vlan
>set state-policy if-bound
>set limit states 100000
>
>scrub in fragment reassemble
>
>block log
>
>antispoof log quick for { $ext_vlan $int_vlan }
>block in log quick from urpf-failed
>
>pass out on $ext_vlan from { $ext_vlan $int_vlan:network } to !$ext_vlan modulate state
>pass out on $int_vlan from $int_vlan to { $int_vlan:network fe80::/64 ff02::/16 } modulate state
>
>pass in on $ext_vlan from $ext_vlan:network to { !self !$int_vlan:network } modulate state
>pass in on $int_vlan from $int_vlan:network to { !self } modulate state
>
>pass in on $ext_vlan inet6 proto icmp6 from { $ext_vlan:network fe80::/64 } to { $ext_vlan } icmp6-type echoreq keep state
>pass in on $int_vlan inet6 proto icmp6 from { $int_vlan:network fe80::/64 } to { $ext_vlan $int_vlan } icmp6-type echoreq keep state
>
>pass in inet6 proto icmp6 icmp6-type { neighbrsol neighbradv routersol routeradv } keep state

Actions: View

Attachments on bug 239749: 206496 | 206497 | 206498 | 206499 | 206500 | 206501 | 206502