PF on loopback interfaces and skips

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view

PF on loopback interfaces and skips


I am using openbsd as a router and I heavily utilise skips in pf on
the transit interfaces. I use a dedicated loopback interface for
router management. However, this poses a problem where the use of
skips on transit interfaces then allows all traffic to my management
loopback interface.

Any idea on how to solve this while keeping the skips?

I have been considering putting my management interface into a
separate rtable. This is probably the prudent thing to do but it
requires rather substantial changes on my end.
Another way would be to remove skips and use very wide "pass" rules
combined with blocks.

Example current pf.conf:
set ruleset-optimization none
set reassemble no
set state-defaults sloppy
set limit tables 500
set skip on vlan1001
set skip on vlan1002
set skip on vlan1003
pass quick on lo1 from <sysops>