[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: pf with many interfaces?



Adam Morley wrote:

table <internal_subnets> { 10.1.1.0/24, 10.1.2.0/24, 10.1.0.0/24 }
.. tables for rfc1918, classD, classE, etc.
table <outsideworld> { *, !<internal_subnets>, !<rfc1918>, !<classD>, !<classE> }  (can I use * or should it be 0.0.0.0/0?)

It should be 0/0, and you cannot have tables containing tables.
rfc1918 and friends should be macros like $rfc1928.

table <notoutside> { <internal_subnets>, <rfc1918>, <classD>, <classE> }

You don't need 2 tables with just the opposite content:

antispoof quick for em0
antispoof quick for em1
antispoof quick for em2

block in quick on em3 from <notoutside>

You could use: "block in quick on em3 from !<outsideworld>"

I'll leave the rest of your questions to more experimented PPL,
But basically I would try to put "strict" rules on interface(s)
connected to the internet, and you can be more loose on internal
interfaces, depending on how much trust you've on your users. :)
Cedric