Hello,
i am trying to setup an ipfilter firewall but i get an error within my policy set that i dont understand.
Here is the setup:
re0 is the WAN interface with an dynamic assigned WAN IP via DHCP
re1 is the lan side with the ip 10.112.129.254/24
I have a working testpolicy that does everything as expected using re0 dynamic ip as destination.
I have another working test policy with local networks as source and destination that does exactly what i expect:
Now the part that i don't understand. When i combine these policies into one ruleset, then i get an error
So the rule
is giving me an error. But why when it is working in another context where i dont use an interface address as destination in a Rule before.
Here is the combined ruleset.
i am trying to setup an ipfilter firewall but i get an error within my policy set that i dont understand.
Here is the setup:
re0 is the WAN interface with an dynamic assigned WAN IP via DHCP
re1 is the lan side with the ip 10.112.129.254/24
I have a working testpolicy that does everything as expected using re0 dynamic ip as destination.
Code:
# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on re0 proto tcp from any to re0 port = 22 keep state
pass in quick on re0 proto icmp from 1.2.3.4 to re0 icmp-type echo keep state
pass in quick on re0 proto udp from 1.2.3.4 to re0 port = 500 keep state
pass in quick on re0 proto udp from 1.2.3.4 to re0 port = 4500 keep state
pass in quick on re0 proto esp from 1.2.3.4 to re0 keep state
pass out quick on re0 all keep state
#Cleanup Rule
block in quick all
block out quick allI have another working test policy with local networks as source and destination that does exactly what i expect:
Code:
# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
pass out quick on re1 proto icmp from 192.168.188.0/24 to 10.112.129.0/24 icmp-type echo keep state
pass out quick on re1 proto tcp from 192.168.188.0/24 to 10.112.129.0/24 port = (22,80,443) keep state
pass in quick on re1 out-via re0 proto icmp from 10.112.129.0/24 to any icmp-type echo keep state
#Cleanup Rule
block in quick all
block out quick allNow the part that i don't understand. When i combine these policies into one ruleset, then i get an error
Code:
23:12:ioctl(add/insert rule): bad interface index with dynamic source addressSo the rule
Code:
pass out quick on re1 proto icmp from 192.168.188.0/24 to 10.112.129.0/24 icmp-type echo keep stateHere is the combined ruleset.
Code:
# no restrictions on loopback interface
pass in quick on lo0 all
pass out quick on lo0 all
pass in quick on re0 proto tcp from any to re0 port = 22 keep state
pass in quick on re0 proto icmp from 1.2.3.4 to re0 icmp-type echo keep state
pass in quick on re0 proto udp from 1.2.3.4 to re0 port = 500 keep state
pass in quick on re0 proto udp from 1.2.3.4 to re0 port = 4500 keep state
pass in quick on re0 proto esp from 1.2.3.4 to re0 keep state
pass out quick on re1 proto icmp from 192.168.188.0/24 to 10.112.129.0/24 icmp-type echo keep state
pass out quick on re0 all keep state
#Cleanup Rule
block in quick all
block out quick all