Hello Patrick, I also tried your approach, but at the end it behaves the same. Without the "pass out" i dont have internet in any of the two interfaces, with it then I just have totally opened ports on both of the interfaces. The restrictive port rules are being ignored.
Any help is much appreciated. Andres On Sun, Jul 26, 2009 at 1:05 AM, patrick keshishian<[email protected]> wrote: > On Sat, Jul 25, 2009 at 9:23 PM, Jason Dixon<[email protected]> wrote: >> On Sat, Jul 25, 2009 at 09:41:45PM -0500, Andres Salazar wrote: >>> Hello OpenBSD-misc, >>> >>> I have a newbie question in pf that Ive been trying to debug on what would >>> be wrong with my ruleset. Iam trying to have the users that are on $int_if >>> only have ports 80 & 52 opened out, and users on $int_if be able to have >>> less restrictions and more ports out. So far I have something like this but >>> it isnt working: >> >> Allow me to be the first to say "RTFAQ". >> >>> ext_if = "re1" >>> int_if = "re0" >>> int_if2 = "re2" >>> >>> >>> set skip on lo >>> >>> scrub in >>> >>> nat on re1 from re0:network to any -> re1 >>> nat on re1 from re2:network to any -> re1 >>> >>> block all >>> pass quick on $ext_if // I have added this so that the firewall itself has >>> full internet access >>> #pass in quick on $int_if >> >> Here you're blocking all by default (inbound and outbound on all >> interfaces), but then you immediately "pass quick" (outbound *and* >> inbound) on your external interface. Very wrong. >> >>> pass out log quick on $ext_if inet proto { tcp, udp } from ($ext_if) to any >>> \ >>> port 53 keep state >>> >>> pass out log quick on $ext_if inet proto { tcp } from ($ext_if) to any \ >>> port 80 keep state >> >> Here you're passing outbound on your external interface for DNS and http >> traffic. But a) you've already allowed everything on $ext_if so this is >> unnecessary, and b) you've never allowed any traffic from your internal >> interfaces. >> >> Honestly, I don't know *what* you're trying to accomplish because your >> description doesn't match anything in your ruleset. Perhaps you can >> describe again what you're trying to do and what the differences are >> supposed to be between $int_if and $int_if2. > > I think he has a few typos in his email that cause confusion. I think > what he wants is something like the following, which is not tested, > and I know this is a copout, but I'm tired and should not be doing > this: > > /---------------------------------------------------------------------------- --\ > ext_if = "re1" > int_if = "re0" # only ports 53 and 80 allowed out > int_if2 = "re2" # no restrictions on outbound traffic > > set skip on lo > match in all scrub (no-df) # XXX > > # XXX I do not use NAT so leaving this to the experts > nat on re1 from re0:network to any -> re1 > nat on re1 from re2:network to any -> re1 > > block all > pass out > pass in on $int_if2 > pass in log on $int_if inet proto { tcp, udp } from any to any port { 53, 80 } > \---------------------------------------------------------------------------- --/ > > He may need finer control over who from $int_if2 is allowed access to > the firewall. > > --patrick
