On 2024-12-24 08:27, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 02:26:18AM +0100, Markus Wernig wrote:
On 12/23/24 19:31, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Take a look at the rules from your pf.conf:
block out quick from $wired3 to { $wired1 $wired2 }
and what they get translated to:
block drop out quick inet from 10.0.3.1 to 10.0.1.1
block drop out quick inet from 10.0.3.1 to 10.0.2.1
So apparently $wired1 $wired2 are not the network behind them, but
only the interface itself, as is $wired3.
You might want:
block quick from em3:network to { em1:network em2:network }
instead.
best /m
I haven't been able to get that to work. And I have triple checked I am
plugged in to the correct ports.
In addition I changed my rules a bit to restrict to just ipv4 to
simplify things a bit.
So a snippet of the change is:
block quick from em3:network to { em1:network em2:network }
pass out quick inet from $wired3 to $isp
pass in on { $isp $wired1 $wired2 $wired3 } inet
pass out inet from { $isp $wired1 $wired2 }
And the pfctl output is:
block drop all
block drop quick inet from 10.0.3.0/24 to 10.0.1.0/24
block drop quick inet from 10.0.3.0/24 to 10.0.2.0/24
pass out quick inet from 10.0.3.1 to 10.0.0.99 flags S/SA
pass in on em0 inet all flags S/SA
pass in on em1 inet all flags S/SA
pass in on em2 inet all flags S/SA
pass in on em3 inet all flags S/SA
pass out inet from 10.0.0.99 to any flags S/SA
pass out inet from 10.0.1.1 to any flags S/SA
pass out inet from 10.0.2.1 to any flags S/SA
I've pasted my pf.conf below for reference. It's not perfect, but I have
a pretty simple setup and it works. I don't have global IPv6, so I can't
help with that. Anyway feel free to use it as a guide but resist
copy-pasting unless you're sure you understand what will happen. Let me
know if you have any questions about what's in there.
Also, if any of my feedback below is wrong, I hope someone will be nice
enough to correct me, and help us both out.
Some notes:
- You wrote that you want to restrict traffic between $wired3 and the
ISP, but I don't see that in your rules. In addition to blocking all
traffic between $wired3 and the other subnets, do you also want to
prevent all $wired3 traffic from leaving your network (Internet
access)?
- It looks like you have the default pf.conf contents at the top of your
config. I created my pf.conf from scratch, so I left that out since I
didn't think it was relevant to my router. However, if you want to
include those rules in yours, I'd probably merge them into your other
rules.
- Your NAT rule is near the top of your rules. That could cause issues
since most of your block rules follow it. Unless you want to use the
NATed address when evaluating your rules, you probably should place it
lower. In my config, I placed it after all the block rules.
- I'd also place all your quick blocks before your block all rule. I
don't think it makes a practical difference, but it "makes sense" and
is easier to follow.
- In your antispoof rule, I'd remove $isp since egress refers to the
same interface. I don't think leaving it there will cause issues, but
it's cleaner IMO.
- As was already mentioned, you are using the interface macros
incorrectly. Appending :network seems to work, but based on the docs I
read, I decided to use tables when dealing with entire subnets. You
can see how I use them in my pf.conf (macros containing the subnets,
tables populated by the macros). You can use whichever method feels
better to you, but remember to update all the rules. You still have
some rules referencing the interfaces when you really want the
subnets. A safe tip (I think): on --> interface, from/to -->
address/subnet.
- What is your goal with the following rule?
pass out quick inet from $wired3 to $isp
- I'm pretty sure you should remove $isp (or its subnet) from the final
pass in/out rules. For those two, I'd recommend using my rules updated
with your details (unless someone points out a reason not to).
/etc/pf.conf
============================================================
if_ext = "em0"
if_int1 = "em1"
if_int2 = "em2"
net_personal = "{ 10.0.0.0/24 fd00:10::/64 }"
net_guest = "{ 10.0.10.0/24 fd00:10:0:10::/64 }"
gw_personal = "{ 10.0.0.1 fd00:10::1 }"
gw_guest = "{ 10.0.10.1 fd00:10:0:10::1 }"
dev_wap1 = "10.0.0.2"
dev_wap2 = "10.0.10.2"
dev_waps = "{" $dev_wap1 $dev_wap2 "}"
table <martians> const { 0.0.0.0/8 10.0.0.0/8 127.0.0.0/8 169.254.0.0/16
\
172.16.0.0/12 192.0.0.0/24 192.0.2.0/24
\
192.168.0.0/16 198.18.0.0/15 198.51.100.0/24
\
203.0.113.0/24 224.0.0.0/3 ::/128 ::1/128
\
::ffff:0:0/96 64:ff9b:1::/48 100::/64
2001:2::/48 \
2001:db8::/32 fc00::/7 fe80::/10 }
table <personal> const { $net_personal }
table <guest> const { $net_guest }
table <guestx> const { $net_guest !$dev_wap2 }
set block-policy drop
set loginterface egress
set skip on lo0
match in all scrub (no-df random-id max-mss 1440)
antispoof quick for { egress $if_int1 $if_int2 }
block in quick on egress from <martians> to any
block return out quick on egress from any to <martians>
block return out quick on egress from $dev_waps to any
block return in quick from <personal> to <guestx>
block return in quick from <guest> to <personal>
block return in quick proto { tcp udp } from <guest> to $gw_guest port
22
block all
match out on egress from <guest> to any set prio (2, 3)
match out on egress inet from !(egress:network) to any nat-to (egress:0)
pass out quick all
pass in on { $if_int1 $if_int2 } all
============================================================
