Hello Jason,
I understood the purpose of allowing internet access for the firewall
itself. However this is exactly where Iam still stuck.
By doing this after our default block all:
pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any \
port { 53 80 22 443 }
Iam actually allowing it for both $int_if and $int_if2 , thus the following
port restriction rules are not getting evaluated.
Full ruleset is here:
http://pastebin.com/d3f292c50
Andres
On Sun, Jul 26, 2009 at 12:32 PM, Jason Dixon <[email protected]> wrote:
> On Sun, Jul 26, 2009 at 12:14:53PM -0500, Andres Salazar wrote:
> > Thank you for the help, I believe that I already tried something similar
> and
> > could not access the internet behind $int_if, ot $int_if2. Traffic is
> > getting blocked by "block all" as per the following pflog1:
> >
> > Jul 26 05:11:51.250502 rule 0/(match) block out on re1: 192.168.1.2.55533
> >
> > 190.40.3.10.53: 22454+[|domain] (DF)
> > Jul 26 05:11:51.407931 rule 0/(match) block out on re1: 192.168.1.2.63872
> >
> > 190.40.3.13.53: 37289+[|domain] (DF)
> > Jul 26 05:11:51.408132 rule 0/(match) block out on re1: 192.168.1.2.51104
> >
> > 190.40.3.13.53: 14850+[|domain] (DF)
> >
> > 192.168.1.2 is the IP of the firewall itself in relationship to $ext_if.
>
> To reiterate:
>
> > > There
> > > are also no "pass out" rules for traffic originating from the firewall
> > > itself, you'll probably want to add something for this.
>
> Add a pass rule for outbound traffic from the firewall itself. Adjust
> for any additional services that it should be able to reach.
>
> pass out on $ext_if inet proto { tcp udp } from ($ext_if) to any port 53
>
> --
> Jason Dixon
> DixonGroup Consulting
> http://www.dixongroup.net/
