On 2024-12-29 10:14, Jon Fineman wrote:
On Tue, Dec 24, 2024 at 06:42:49PM -0400, Ricky Cintron wrote:
On 2024-12-24 08:27, Jon Fineman wrote:
third sub net ($wired3) (10.0.3.x) I would like to restrict traffic
between it
and the ISP. Clients on 10.0.3.x should not be able to access the
other sub nets.
Some notes:
- You wrote that you want to restrict traffic between $wired3 and the
ISP, but I don't see that in your rules. In addition to blocking all
traffic between $wired3 and the other subnets, do you also want to
prevent all $wired3 traffic from leaving your network (Internet
access)?
That was a poor choice of words. By restrict I meant I would like
traffic to pass between $wired3 and $isp. I.e. restrict that traffic to
that path.
Okay, now I understand.
Thank you both for your help.
It turns out my understanding and test case was poor.
My test case was placing a laptop on the $wwired3 subnet and seeing
what it could access. I could get out to the internet (good). I could
also reach devices on my old network (bad). I didn't have any other
devices on $wired1 or $wired2 at this point to test.
I mentally associated $isp with well my ISP. That was flawed as it
really was just my upstream connection to my ISP and my old network. So
my laptop was able to reach my old network via the $isp connection
which was explicitly allowed (lack of rule for that).
So there is a rule for that now until I completely migrate over. Also I
have another device on $wired1 which it can't access (good).
At least now I have a much better understanding of the PF rules. Not
great but better.
Thanks.
Jon
That's good. Just keep at it, read the man pages, learn from other pf
configuration files you come across, and put it all together.
