Hi,
I would start by naming your internal interface variables in a meaningful way.
It would make things much more readable for yourself and reduce the risk of a
mental mistake.
Eg:
int_lan1
int_lan2
int_dmz
And similarly with int_net1.
Just a thought...
Cheers,
Steve W
On April 27, 2025 5:25:07 p.m. PDT, Sha'ul <sh...@riseup.net> wrote:
>I am trying to write my first ruleset for router and firewall, how can I
>trim the ruleset?
>
>set skip on lo
>
>block return # block stateless traffic
>pass # establish keep-state
>
># By default, do not permit remote connections to X11
>block return in on ! lo0 proto tcp to port 6000:6010
>
>block return out log proto {tcp udp} user _pbuild
>
>ext_if = "igc0" # External interface (WAN)
>int_if1 = "igc1" # Internal LAN 1
>int_if2 = "igc2" # Internal LAN 2
>int_if3 = "igc3" # DMZ
>wifi_if = "iwx0" # Wireless interface
>
># External (WAN) IP and Internal network definitions
>ext_ip = "your.external.ip" # Public IP address (replace with actual)
>int_net1 = "192.168.1.0/24" # LAN 1 subnet
>int_net2 = "192.168.2.0/24" # LAN 2 subnet
>int_net3 = "192.168.3.0/24" # DMZ subnet
>wifi_net = "192.168.4.0/24" # Wireless network subnet
>
>scrub in all
>
>block all
>
>pass quick on lo0 all
>
>pass quick on $int_if1 from $int_net1 to any keep state
>pass quick on $int_if2 from $int_net2 to any keep state
>pass quick on $int_if3 from $int_net3 to any keep state
>pass quick on $wifi_if from $wifi_net to any keep state
>
># NAT rules for outbound traffic from internal networks
>nat on $ext_if from $int_net1 to any -> ($ext_if)
>nat on $ext_if from $int_net2 to any -> ($ext_if)
>nat on $ext_if from $int_net3 to any -> ($ext_if)
>nat on $ext_if from $wifi_net to any -> ($ext_if)
>
>pass in on $ext_if proto tcp from any to $ext_ip port { 80, 443 } keep
>state
>
>pass in on $ext_if proto tcp from { 192.168.1.0/24, 192.168.2.0/24 } to
>$ext_ip port 22 keep state
>
>pass in on $ext_if proto tcp from any to $int_net3 port 80 keep state
>pass in on $ext_if proto tcp from any to $int_net3 port 443 keep state
>
>pass in on $int_if1 from $int_net1 to $int_net2 keep state
>pass in on $int_if2 from $int_net2 to $int_net1 keep state
>
># Allow internal networks to access wireless network
>pass in on $int_if1 from $int_net1 to $wifi_net keep state
>pass in on $int_if2 from $int_net2 to $wifi_net keep state
>
>pass in on $wifi_if from $wifi_net to $int_net1 keep state
>pass in on $wifi_if from $wifi_net to $int_net2 keep state
>pass in on $wifi_if from $wifi_net to $int_net3 keep state
>
>pass in on $int_if1 from $int_net1 to $int_net3 keep state
>pass in on $int_if3 from $int_net3 to $int_net1 keep state
>
>pass in on $ext_if proto icmp all icmp-type echoreq keep state
>pass in on $int_if1 proto icmp all icmp-type echoreq keep state
>pass in on $int_if2 proto icmp all icmp-type echoreq keep state
>pass in on $int_if3 proto icmp all icmp-type echoreq keep state
>pass in on $wifi_if proto icmp all icmp-type echoreq keep state
