On Sun, Jul 26, 2009 at 12:58:08AM -0500, Andres Salazar wrote:
> I apologize that my ruleset isnt very clear. Iam trying to put together a
> ruleset that will allow the following access:
>
> Outbound port 80 (web) & 53 (domain) from users at $int_if via $ext_if
> Outbound port 80 (web) & 53 (domain) & 443 (ssl) & 22 (ssh) from $int_if2
> via $ext_if
Here's a basic ruleset that meets your requirements. Hasn't been tested
for syntax. Note that I make no effort to filter traffic between the
two internal segments. This would require a different approach (no set
skip on internal if's, pass in on the internal if's explicitly). There
are also no "pass out" rules for traffic originating from the firewall
itself, you'll probably want to add something for this.
ext_if = "re1"
int_if = "re0"
int_if2 = "re2"
set skip on { lo $int_if $int_if2 }
scrub in
nat on $ext_if inet proto { tcp udp } from $int_if:network to any \
-> ($ext_if)
nat on $ext_if inet proto { tcp udp } from $int_if2:network to any \
-> ($ext_if)
block all
pass out on $ext_if inet proto tcp from $int_if:network to any \
port { 53 80 }
pass out on $ext_if inet proto udp from $int_if:network to any \
port 53
pass out on $ext_if inet proto tcp from $int_if2:network to any \
port { 22 53 80 443 }
pass out on $ext_if inet proto udp from $int_if2:network to any \
port 53
--
Jason Dixon
DixonGroup Consulting
http://www.dixongroup.net/
