On 2025-04-28, Sha'ul <sh...@riseup.net> wrote:
> I am trying to write my first ruleset for router and firewall, how can I
> trim the ruleset?
>
> set skip on lo
>
> block return # block stateless traffic
> pass # establish keep-state
>
> # By default, do not permit remote connections to X11
> block return in on ! lo0 proto tcp to port 6000:6010
>
> block return out log proto {tcp udp} user _pbuild
>
> ext_if = "igc0" # External interface (WAN)
> int_if1 = "igc1" # Internal LAN 1
> int_if2 = "igc2" # Internal LAN 2
> int_if3 = "igc3" # DMZ
> wifi_if = "iwx0" # Wireless interface
>
> # External (WAN) IP and Internal network definitions
> ext_ip = "your.external.ip" # Public IP address (replace with actual)
> int_net1 = "192.168.1.0/24" # LAN 1 subnet
> int_net2 = "192.168.2.0/24" # LAN 2 subnet
> int_net3 = "192.168.3.0/24" # DMZ subnet
> wifi_net = "192.168.4.0/24" # Wireless network subnet
rather than setting macros, you can set interface groups on the
interfaces, and use e.g. "pass in on groupname frim grouoname:network".
> scrub in all
this is not openbsd syntax
> block all
>
> pass quick on lo0 all
you already told pf to skip lo0
> pass quick on $int_if1 from $int_net1 to any keep state
> pass quick on $int_if2 from $int_net2 to any keep state
> pass quick on $int_if3 from $int_net3 to any keep state
> pass quick on $wifi_if from $wifi_net to any keep state
"to any keep state" is implicit, you don't need to write it yourdelf
if you put all these interfaces in a single group you could do
"antispoof quick for internal" then "pass quick on internal"
which would have the same effect
> # NAT rules for outbound traffic from internal networks
> nat on $ext_if from $int_net1 to any -> ($ext_if)
> nat on $ext_if from $int_net2 to any -> ($ext_if)
> nat on $ext_if from $int_net3 to any -> ($ext_if)
> nat on $ext_if from $wifi_net to any -> ($ext_if)
this is not openbsd syntax
> pass in on $ext_if proto tcp from any to $ext_ip port { 80, 443 } keep
> state
>
> pass in on $ext_if proto tcp from { 192.168.1.0/24, 192.168.2.0/24 } to
> $ext_ip port 22 keep state
>
> pass in on $ext_if proto tcp from any to $int_net3 port 80 keep state
> pass in on $ext_if proto tcp from any to $int_net3 port 443 keep state
>
> pass in on $int_if1 from $int_net1 to $int_net2 keep state
> pass in on $int_if2 from $int_net2 to $int_net1 keep state
>
> # Allow internal networks to access wireless network
> pass in on $int_if1 from $int_net1 to $wifi_net keep state
> pass in on $int_if2 from $int_net2 to $wifi_net keep state
>
> pass in on $wifi_if from $wifi_net to $int_net1 keep state
> pass in on $wifi_if from $wifi_net to $int_net2 keep state
> pass in on $wifi_if from $wifi_net to $int_net3 keep state
>
> pass in on $int_if1 from $int_net1 to $int_net3 keep state
> pass in on $int_if3 from $int_net3 to $int_net1 keep state
>
> pass in on $ext_if proto icmp all icmp-type echoreq keep state
> pass in on $int_if1 proto icmp all icmp-type echoreq keep state
> pass in on $int_if2 proto icmp all icmp-type echoreq keep state
> pass in on $int_if3 proto icmp all icmp-type echoreq keep state
> pass in on $wifi_if proto icmp all icmp-type echoreq keep state
you already allowed _all_ traffic from the relevant networks on
$int_if1, $int_if2, $int_if3, $int_wifi so most of these rules
are noops.
--
Please keep replies on the mailing list.
