PF Question/Help

Mon, 23 Dec 2024 10:32:47 -0800 

So new to PF, first time config.
I have my gateway with a connection to my ISP and three sub nets. The third sub net ($wired3) (10.0.3.x) I would like to restrict traffic between it and the ISP. Clients on 10.0.3.x should not be able to access the other sub nets. But I can't keep the requests from escaping. 

So is my ordering incorrect or am I missing a rule?


I included the verbose output of pfctl, my pf.conf and the output of 
ifconfig. Is anything else needed?


Thanks.

Jon



pfctl -v:

cmp_types = "echoreq"
isp = "em0"
wired1 = "em1"
wired2 = "em2"
wired3 = "em3"
table <martians> { 0.0.0.0/8 127.0.0.0/8 169.254.0.0/16 172.16.0.0/12 
192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 192.168.0.0/16 198.18.0.0/15 198.51.100.0/24 
203.0.113.0/24 }
set block-policy drop
set loginterface egress
set skip on { lo0 }
block return in on ! lo0 proto tcp from any to any port 6000:6010
block return out log proto tcp all user = 55
block return out log proto udp all user = 55
match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from ! (egress:network) to any nat-to (egress:0) 
round-robin
block drop in quick on ! egress inet from 10.0.0.0/24 to any
block drop in quick on ! egress inet6 from 2601:85:c47f:2cc0::/64 to any
block drop in quick inet from 10.0.0.99 to any
block drop in quick on ! em0 inet from 10.0.0.0/24 to any
block drop in quick on ! em1 inet from 10.0.1.0/24 to any
block drop in quick inet from 10.0.1.1 to any
block drop in quick on ! em2 inet from 10.0.2.0/24 to any
block drop in quick inet from 10.0.2.1 to any
block drop in quick on ! em3 inet from 10.0.3.0/24 to any
block drop in quick inet from 10.0.3.1 to any
block drop in quick on em0 inet6 from fe80::20d:b9ff:fe60:e830 to any
block drop in quick inet6 from 2601:85:c47f:2cc0:e5b3:cbf0:6155:3327 to any
block drop in quick inet6 from 2601:85:c47f:2cc0:c498:c740:cf8f:3e85 to any
block drop in quick inet6 from 2601:85:c47f:2cc0:ead1:c7b5:d425:a9e0 to any
block drop in quick on ! em0 inet6 from 2601:85:c47f:2cc0::/64 to any
block drop in quick on em1 inet6 from fe80::20d:b9ff:fe60:e831 to any
block drop in quick on em2 inet6 from fe80::20d:b9ff:fe60:e832 to any
block drop in quick on em3 inet6 from fe80::20d:b9ff:fe60:e833 to any
block drop in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block drop all
block drop out quick inet from 10.0.3.1 to 10.0.1.1
block drop out quick inet from 10.0.3.1 to 10.0.2.1
pass out quick inet from 10.0.3.1 to 10.0.0.99 flags S/SA
pass out on em0 inet6 from fe80::20d:b9ff:fe60:e830 to any flags S/SA
pass out inet6 from 2601:85:c47f:2cc0:e5b3:cbf0:6155:3327 to any flags S/SA
pass out inet6 from 2601:85:c47f:2cc0:c498:c740:cf8f:3e85 to any flags S/SA
pass out inet6 from 2601:85:c47f:2cc0:ead1:c7b5:d425:a9e0 to any flags S/SA
pass out on em1 inet6 from fe80::20d:b9ff:fe60:e831 to any flags S/SA
pass out on em2 inet6 from fe80::20d:b9ff:fe60:e832 to any flags S/SA
pass out inet from 10.0.0.99 to any flags S/SA
pass out inet from 10.0.1.1 to any flags S/SA
pass out inet from 10.0.2.1 to any flags S/SA
pass in on em0 all flags S/SA
pass in on em1 all flags S/SA
pass in on em2 all flags S/SA
pass in on em3 all flags S/SA
pass in on egress inet proto tcp from any to (egress) port = 80 flags S/SA 
rdr-to 10.0.0.103
pass in on egress inet proto tcp from any to (egress) port = 443 flags S/SA 
rdr-to 10.0.0.103
pass in on egress inet proto tcp from any to (egress) port = 4533 flags S/SA 
rdr-to 10.0.0.100



pf.conf:

block return in on ! lo0 proto tcp to port 6000:6010

# Port build user does not need network
block return out log proto {tcp udp} user _pbuild

cmp_types = "echoreq"

isp    = "em0"
wired1 = "em1"
wired2 = "em2"
wired3 = "em3"
table <martians> { 0.0.0.0/8            127.0.0.0/8 169.254.0.0/16     \
                   172.16.0.0/12 192.0.0.0/24 192.0.2.0/24 224.0.0.0/3 \
                   192.168.0.0/16 198.18.0.0/15 198.51.100.0/24        \
                   203.0.113.0/24 }

set block-policy drop
set loginterface egress
set skip on lo0

match in all scrub (no-df random-id max-mss 1440)
match out on egress inet from !(egress:network) to any nat-to (egress:0)

antispoof quick for { egress $isp $wired1 $wired2 $wired3 }

block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block all

block out quick from $wired3 to { $wired1 $wired2 }

pass out quick inet from $wired3 to $isp

pass in on { $isp $wired1 $wired2 $wired3 }

pass out from { $isp $wired1 $wired2 }

# port forwarding
pass in on egress inet proto tcp from any to (egress) port { 80 443 } rdr-to 
10.0.0.103
pass in on egress inet proto tcp from any to (egress) port { 4533 } rdr-to 
10.0.0.100



ifconfig:

lo0: flags=2008049<UP,LOOPBACK,RUNNING,MULTICAST,LRO> mtu 32768
        index 6 priority 0 llprio 3
        groups: lo
        inet6 ::1 prefixlen 128
        inet6 fe80::1%lo0 prefixlen 64 scopeid 0x6
        inet 127.0.0.1 netmask 0xff000000
em0: 
flags=248843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6> 
mtu 1500
        lladdr 00:0d:b9:60:e8:30
        description: isp
        index 1 priority 0 llprio 3
        groups: isp egress
        media: Ethernet autoselect (1000baseT full-duplex,rxpause,txpause)
        status: active
        inet 10.0.0.99 netmask 0xffffff00 broadcast 10.0.0.255
        inet6 fe80::20d:b9ff:fe60:e830%em0 prefixlen 64 scopeid 0x1
        inet6 2601:85:c47f:2cc0:e5b3:cbf0:6155:3327 prefixlen 64 autoconf 
pltime 299 vltime 299
        inet6 2601:85:c47f:2cc0:c498:c740:cf8f:3e85 prefixlen 64 autoconf 
temporary pltime 0 vltime 299
        inet6 2601:85:c47f:2cc0:ead1:c7b5:d425:a9e0 prefixlen 64 autoconf 
temporary pltime 299 vltime 299
em1: 
flags=248843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6> 
mtu 1500
        lladdr 00:0d:b9:60:e8:31
        description: home lan
        index 2 priority 0 llprio 3
        groups: lan wired home
        media: Ethernet autoselect (none)
        status: no carrier
        inet 10.0.1.1 netmask 0xffffff00 broadcast 10.0.1.255
        inet6 fe80::20d:b9ff:fe60:e831%em1 prefixlen 64 scopeid 0x2
em2: 
flags=248843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6> 
mtu 1500
        lladdr 00:0d:b9:60:e8:32
        description: home wifi
        index 3 priority 0 llprio 3
        groups: lan wifi home
        media: Ethernet autoselect (1000baseT full-duplex,master)
        status: active
        inet 10.0.2.1 netmask 0xffffff00 broadcast 10.0.2.255
        inet6 fe80::20d:b9ff:fe60:e832%em2 prefixlen 64 scopeid 0x3
em3: 
flags=248843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,AUTOCONF6TEMP,AUTOCONF6> 
mtu 1500
        lladdr 00:0d:b9:60:e8:33
        description: guest/iot wifi
        index 4 priority 0 llprio 3
        groups: lan wifi guest
        media: Ethernet autoselect (1000baseT full-duplex)
        status: active
        inet 10.0.3.1 netmask 0xffffff00 broadcast 10.0.3.255
        inet6 fe80::20d:b9ff:fe60:e833%em3 prefixlen 64 scopeid 0x4
enc0: flags=0<>
        index 5 priority 0 llprio 3
        groups: enc
        status: active
pflog0: flags=141<UP,RUNNING,PROMISC> mtu 33136
        index 7 priority 0 llprio 3
        groups: pflog
























					Reply via email to