After getting pf working with a "block in all" rule,
I am now trying to add a rule to allow local and internet access to my
webserver.
I have been able to access the web server from a computer on a subnet,
I copied a rule from the OpenBSD pf faq which would seem to accomplish this,
(see ruleset below) but nothing comes back even to my browser running on the
same computer.
What pf rule(s) do I have to change/add to permit my browser and others on the
internet to access the web server?
Thanks,
Dave Feustel
===========current pf ruleset================
ext_if = "xl0"
#ext_ad = "71.97.201.76"
ext_ad = "(xl0)"
web_server = "(xl0)"
pr1 = "192.168.1.1/24"
pr2 = "192.168.2.1/24"
pr3 = "192.168.3.1/24"
pr4 = "192.168.4.1/24"
nat_proto = "{tcp, udp, icmp}"
# options
set require-order yes
set block-policy drop
set optimization normal
set loginterface none
# scrubbing
scrub in all
scrub out all
# nat rules
nat on $ext_if inet proto $nat_proto \
from {$pr1, $pr2, $pr3, $pr4} to any -> $ext_ad
# filtering
pass in quick on sis1
block in log all
pass in on $ext_if proto tcp to $web_server \
port www flags S/SA keep state \
(max 200, source-track rule, max-src-nodes 100, max-src-states 3)
pass out log quick on $ext_if inet \
from ($ext_if) to any flags S/SA keep state
antispoof for $ext_if
===================================
