On Sun, Apr 27, 2025, at 7:25 PM, Sha'ul wrote:
> I am trying to write my first ruleset for router and firewall, how can I
> trim the ruleset?
>
> set skip on lo
>
> block return # block stateless traffic
> pass # establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> block return out log proto {tcp udp} user _pbuild
>
> ext_if = "igc0" # External interface (WAN)
> int_if1 = "igc1" # Internal LAN 1
> int_if2 = "igc2" # Internal LAN 2
> int_if3 = "igc3" # DMZ
> wifi_if = "iwx0" # Wireless interface
>
> # External (WAN) IP and Internal network definitions
> ext_ip = "your.external.ip" # Public IP address (replace with actual)
> int_net1 = "192.168.1.0/24" # LAN 1 subnet
> int_net2 = "192.168.2.0/24" # LAN 2 subnet
> int_net3 = "192.168.3.0/24" # DMZ subnet
> wifi_net = "192.168.4.0/24" # Wireless network subnet
>
> scrub in all
>
> block all
>
> pass quick on lo0 all
>
> pass quick on $int_if1 from $int_net1 to any keep state
> pass quick on $int_if2 from $int_net2 to any keep state
> pass quick on $int_if3 from $int_net3 to any keep state
> pass quick on $wifi_if from $wifi_net to any keep state
>
> # NAT rules for outbound traffic from internal networks
> nat on $ext_if from $int_net1 to any -> ($ext_if)
> nat on $ext_if from $int_net2 to any -> ($ext_if)
> nat on $ext_if from $int_net3 to any -> ($ext_if)
> nat on $ext_if from $wifi_net to any -> ($ext_if)
>
> pass in on $ext_if proto tcp from any to $ext_ip port { 80, 443 } keep
> state
>
> pass in on $ext_if proto tcp from { 192.168.1.0/24, 192.168.2.0/24 } to
> $ext_ip port 22 keep state
>
> pass in on $ext_if proto tcp from any to $int_net3 port 80 keep state
> pass in on $ext_if proto tcp from any to $int_net3 port 443 keep state
>
> pass in on $int_if1 from $int_net1 to $int_net2 keep state
> pass in on $int_if2 from $int_net2 to $int_net1 keep state
>
> # Allow internal networks to access wireless network
> pass in on $int_if1 from $int_net1 to $wifi_net keep state
> pass in on $int_if2 from $int_net2 to $wifi_net keep state
>
> pass in on $wifi_if from $wifi_net to $int_net1 keep state
> pass in on $wifi_if from $wifi_net to $int_net2 keep state
> pass in on $wifi_if from $wifi_net to $int_net3 keep state
>
> pass in on $int_if1 from $int_net1 to $int_net3 keep state
> pass in on $int_if3 from $int_net3 to $int_net1 keep state
>
> pass in on $ext_if proto icmp all icmp-type echoreq keep state
> pass in on $int_if1 proto icmp all icmp-type echoreq keep state
> pass in on $int_if2 proto icmp all icmp-type echoreq keep state
> pass in on $int_if3 proto icmp all icmp-type echoreq keep state
> pass in on $wifi_if proto icmp all icmp-type echoreq keep state
First, I would suggest reading the PF Users's Guide thoroughly:
https://www.openbsd.org/faq/pf/
In the second section, Lists and Macros, you will see that you can combine many
of your statements into a single line with a list:
pass in on { $ext_if $int_if1 $int_if2 $int_if3 $wifi_if } proto icmp all
icmp-type echoreq keep state
You may also wish to work from the included router example.
Brian Conway
Owner
RCE Software, LLC
