This host is a firewall doing NAT for $our_hosts_ext. It allows
certain traffic from (a) our local network, $ourlocal and (b) partner
networks, $networks_friendly.
The intention here was to default-deny all traffic addressed
to $our_hosts_ext and this host itself; I wrote separate rules
for those so that I could test and log them separately, and so
that I could keep the rulesets for "hosts" and "the firewall"
separate in the config file.
The problem is that I'm logging ssh attempts (on the firewall
itself) which are getting through, and are not from $ourlocal or
$networks-friendly. Clearly I've made a mistake. I'd appreciate
it if someone could tell me where. Thanks.
my_outside_interface = "{ eth1 }"
my_inside_interface = "{ eth0 }"
our_hosts_ext = "{" $host1_ext $host2_ext $host3_ext "}"
my_outside_ip = "{ 1.2.3.4 }"
table <networks-friendly> persist file "/etc/pf/pf.friendly"
table <ourlocal> persist { 1.2.3.0/24 }
# block all to our hosts
block in log on $my_outside_interface from any to $our_hosts_ext
# block all to me
block in log on $my_outside_interface from any to $my_outside_ip
# allow ssh
pass in log on $my_outside_interface proto tcp from <ourlocal> to
$my_outside_ip port ssh
pass in log on $my_outside_interface proto tcp from
<networks-friendly> to $my_outside_ip port ssh
